Valid Email Addresses - XSS and SQL Injection

前端 未结 2 2220
生来不讨喜
生来不讨喜 2021-02-19 13:48

Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I cou

相关标签:
2条回答
  • 2021-02-19 14:26
    /^[a-z0-9.-_+]@[a-z0-9.-]$/i
    

    i think that matches like 99.9999% of all emails addresses ;)

    0 讨论(0)
  • 2021-02-19 14:30

    Spaces are allowed if they are enclosed in quotes, however, so "'OR 1=1--"@gmail.com is a valid e-mail address. Also, it's probably less of a concern, but technically speaking, these are both valid e-mail addresses:

    ' BAD SQL STUFF -- <fake@ryanbrunner.com>
    fake@ryanbrunner.com (' BAD SQL STUFF --)
    

    Even if this wasn't possible, there's still no reason that you shouldn't be using paramaterized queries and encoding all user-inputted data displayed to users.

    0 讨论(0)
提交回复
热议问题