stackoom
  简体   繁体   中英

Does PHP's FILTER_VALIDATE_EMAIL provide adequate security?

 原文  2012-05-03 14:23:19       php/ security

Question

I have a page where I want to accept an email address in the GET parameters. If I use FILTER_VALIDATE_EMAIL , am I still vulnerable to xss and javascript injection attacks, and the like?

I'm not asking if it's a good, or good enough, validator of email addresses. I want to know if one can still inject bad web code through arbitrary strings passed through it -- do I need to do additional filtering to prevent that?

2 answers

solution1
 9 ACCPTED  2012-05-03 14:31:37

Yes, a valid email address can easily be used as the container for some carefully crafted strings that can be used to attack you.

Get out of the "filtering" mindset and get into the "escaping" mindset. A universal "make it safe" filter simply doesn't exist. It cannot exist, because all escaping must be done in a context-specific manner.

For example, if the email address will be output to a plain text document, then nothing is needed to be done. If it's being output into an html document, as a text node, then it needs to be escaped for an html context, so escape html special characters and entities. If it's being put into an html document, and it's value will be inside of an html attribute, then very very careful escaping would need to be performed, and it would depend on which html attribute. If it's being used in an sql query, then it needs to be escaped via a database specific escaping function, and even then you must escape differently if you're using it as a parameter value (ie, where someColumn = '$paramVal' ), vs a symbol name like a table name, a column name (ie, order by $myEscapedColumnName DESC ). and so on.

It's all about context of use, not content of the string. This goes for everything (not just emails or other user input), and it's not just a matter of security, but it's a matter of programming and syntax correctness. Proper escaping is complicated, and takes a lot of time to learn, and careful thought and consideration when you code. Many coders don't bother doing it due to the effort, and they are the ones who cause the company to get hacked.

fyi, the email address spec allows quoted strings, so something you could inject strings like "<script>alert('xss')</script>"@example.com . The possibilities are obvious.

solution2
 2  2012-05-03 14:25:06

这应该已经足够好了,但自然地,在将它输入到数据库等时,您仍然应该逃脱它。您永远不知道 PHP 或 Apache 等中可能存在什么样的错误,无论如何都可能允许攻击发生。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Does PHP's filter_var FILTER_VALIDATE_EMAIL actually work? PHP FILTER_VALIDATE_EMAIL does not work correctly “The connection was reset” on FILTER_VALIDATE_EMAIL with php PHP FILTER_VALIDATE_EMAIL max length Error with FILTER_VALIDATE_EMAIL FILTER_VALIDATE_EMAIL not working php email validation (filter_validate_email) Not Working Does FILTER_VALIDATE_EMAIL make a string safe for insertion in database? Is there any built in function in javascript/jquery to filter email like php's function (!filter_var($variablePassed, FILTER_VALIDATE_EMAIL)) Can't get PHP FILTER_VALIDATE_EMAIL to work
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM