FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Apostrophe in e-mail address causes sql failures. Possible vulnerability.
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
icon4.gif  Apostrophe in e-mail address causes sql failures. Possible vulnerability. [message #7594] Thu, 05 December 2002 00:57 Go to next message
adamc is currently offline  adamc   Australia
Messages: 4
Registered: December 2002
Karma: 0
Junior Member
Apostrophe in e-mail address causes sql failures on New Thread (at least).

The apostropie is not being escaped properly in the SQL creation. This is possibly also evidence of an SQL injection vulnerability, however I have not persued this far enough to check yet.

An apostrophie is allowed in an e-mail address (e.g. Mike.O'Hara(at)test(dot)com) according to the relevant RFC's so it should be accepted.
Re: Apostrophe in e-mail address causes sql failures. Possible vulnerability. [message #7595 is a reply to message #7594] Thu, 05 December 2002 01:00 Go to previous messageGo to next message
adamc is currently offline  adamc   Australia
Messages: 4
Registered: December 2002
Karma: 0
Junior Member
Note that the e-mail address parsing code also fails to recognise the e-mail address above as valid and therefore creates an incorrectly formed <A> tag for the address.
Re: Apostrophe in e-mail address causes sql failures. Possible vulnerability. [message #7596 is a reply to message #7595] Thu, 05 December 2002 01:13 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Fixed in CVS.

FUDforum Core Developer
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Getting PHP compilation warning v2.3.5
Next Topic: v2.3.5 action log
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Dec 01 05:59:03 GMT 2024

Total time taken to generate the page: 0.02437 seconds