Valid Email Addresses - XSS and SQL Injection

Question

Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I cou

Answer 1

/^[a-z0-9.-_+]@[a-z0-9.-]$/i

i think that matches like 99.9999% of all emails addresses ;)

Answer 2

Spaces are allowed if they are enclosed in quotes, however, so "'OR 1=1--"@gmail.com is a valid e-mail address. Also, it's probably less of a concern, but technically speaking, these are both valid e-mail addresses:

' BAD SQL STUFF -- <fake@ryanbrunner.com>
fake@ryanbrunner.com (' BAD SQL STUFF --)

Even if this wasn't possible, there's still no reason that you shouldn't be using paramaterized queries and encoding all user-inputted data displayed to users.