Welcome to Geeklog, Anonymous Friday, March 29 2024 @ 08:32 am EDT

Geeklog Forums

Apostrophe in email address.


Anonymous

Anonymous
Hey...I have a problem when somebody tries to register on my site, and they have an apostrophe in their email address:eg: registering with an email address of: test.this'email@mydomain.com, results in the following error message in the browser (and in the log)1064: You have an error in your SQL syntax near 'email@mydomain.com'' at line 1 SQL in question: SELECT COUNT(*) FROM gl_users WHERE email = 'test.this'email@mydomain.com'Anybody else have this problem (and a fix)?...deon
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Hmm, Geeklog should actually prevent anyone from registering with such an email address ... bye, Dirk
 Quote

Status: offline

ScurvyDawg

Forum User
Full Member
Registered: 11/06/02
Posts: 523
An apostrophe is not a valid email character as far as I know. Hence, GL does not allow something it knows is invalid.
 Quote

Anonymous

Anonymous
This looks like a serious security threat. If what you report is true, then geeklog is passing unchecked text from the user directly to MySQL. You must always always always check user text and escape special characters, like the apostrophe which to SQL signals the end of a text string. What if instead of your example you had sent this as the email address: "test'; drop database mysql;" or something similarly sinister? Bad things.
 Quote

Status: offline

rawdata

Forum User
Full Member
Registered: 02/17/03
Posts: 236
Geeklog produces this error message when you try to use a bad email address in registering. Go ahead and test it out yourself using his example. Error The email address provided does not appear to be a valid email address It's very interesting that you think malicious code such as dropping a database can be executed when added to the where part of a SQL count statement and used for comparison with emails stored in the database. Why don't you give us an example where someone can actually execute malicious code for particular SQL statement in the where clause? I don't believe it can be done but go ahead and give an example that really works.
 Quote

Anonymous

Anonymous
OK - my geeklog is not stopping that then - where should I look to see if that part of the code is broken?
 Quote

Anonymous

Anonymous
Is that in an RFC somewhere? Which one? ...deon
 Quote

Anonymous

Anonymous
Hey Dirk, this error is caught in DB_count, BEFORE geeklog validates the email address via COM_isemail - should this change then? ...deon
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Where or how did you manage to enter that email address in the first place? If I try, I get the "... does not appear to be a valid email address" message. bye, Dirk
 Quote

Anonymous

Anonymous
I noticed that the search function also returns errors when there is an apostraphe. That might be a security risk as well. -Rob
 Quote

Status: offline

rawdata

Forum User
Full Member
Registered: 02/17/03
Posts: 236
Go ahead and post a working example where someone can execute malicious code in that particular SQL statement to support your allegation. If they can't, it's not a security risk.
 Quote

Anonymous

Anonymous
Have a look on my site www.tuganz.org. Its on the "New User" (left block), username (anything), email (with an apostrophe) and I get the 1064 SQL error. In users.php, it is calling a SELECT COUNT(*) to see how many usernames and email addresses exist before it validates the email address. Let me know if you find out something is broke.. Smile ...deon
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Yep, that's a bug - it should check for a valid email address first. Fixed in CVS ... bye, Dirk
 Quote

Me

Anonymous
RFC 2822 http://tools.ietf.org/html/rfc2822#section-3.4.1 Apostrophes are allowed.
 Quote

All times are EDT. The time is now 08:32 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content