473,381 Members | 1,630 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,381 software developers and data experts.

email validation: just enough to prevent sql injection

Hello everyone,

I've read enough about email validation to know that the only real
validation is having a user respond to a confirmation message you've
sent them. However, I want to store the address temporarily, so I want
to make sure what is entered is safe to work with. I have a basic
understanding of regexps, so I could write one that checks for a simple
format like: something followed by @ followed by something followed by
.. followed by something. I can also make a good guess at understanding
the regexps I come across in validation schemes people have posted.
However, each scheme that is posted seems to get criticized for
invalidating some esoteric, but valid, addresses.

I'm wondering if there is a minimum validation you can do that will
prevent basic attacks like sql injection attacks. For example, if I
weed out anything with single and double quotes, and semicolons, am I
barring some people unnecessarily? Seems like you'd be trying to mess
with people by putting a semicolon in your email address.

I know there are other steps to take in preventing attacks. Every
layer helps, though, so I'd like to do some reasonable email validation.

Oct 28 '06 #1
7 3001
e_*******@hotmail.com wrote:
Hello everyone,

I've read enough about email validation to know that the only real
validation is having a user respond to a confirmation message you've
sent them. However, I want to store the address temporarily, so I want
to make sure what is entered is safe to work with. I have a basic
understanding of regexps, so I could write one that checks for a simple
format like: something followed by @ followed by something followed by
. followed by something. I can also make a good guess at understanding
the regexps I come across in validation schemes people have posted.
However, each scheme that is posted seems to get criticized for
invalidating some esoteric, but valid, addresses.

I'm wondering if there is a minimum validation you can do that will
prevent basic attacks like sql injection attacks. For example, if I
weed out anything with single and double quotes, and semicolons, am I
barring some people unnecessarily? Seems like you'd be trying to mess
with people by putting a semicolon in your email address.

I know there are other steps to take in preventing attacks. Every
layer helps, though, so I'd like to do some reasonable email validation.
You can do this validation in JavaScript but a hacker will know how to
turn JavaScript off or otherwise send data to your server. No matter
what test you decide on, you will have to repeat this test on the
server.

Peter

Oct 28 '06 #2
Lee
e_*******@hotmail.com said:
>I'm wondering if there is a minimum validation you can do that will
prevent basic attacks like sql injection attacks. For example, if I
weed out anything with single and double quotes, and semicolons, am I
barring some people unnecessarily? Seems like you'd be trying to mess
with people by putting a semicolon in your email address.

I know there are other steps to take in preventing attacks. Every
layer helps, though, so I'd like to do some reasonable email validation.
"Every layer helps" sounds good, but isn't really true.
Testing for the same violation twice doesn't make you more likely
to catch it. Client-side validation adds nothing at all to
protect you if you also have server-side validation in place.

The only valid purpose for client-side validation is for the
convenience of the user, to let them know immediately if they've
accidentally entered bad data. Having them enter their address
twice is probably good enough for that. If they mistype it wrong
twice, let them wait to find out about their mistake from your
server-side code.

Consider also that the malicious user can look at your client-side
code to see what you have, and have not, thought of, increasing his
chances of defeating your server-side validation.
--

Oct 28 '06 #3
e_*******@hotmail.com wrote:
I know there are other steps to take in preventing attacks. Every
layer helps, though, so I'd like to do some reasonable email validation.
Your best bet is to do simple validation on the client-side.

For example, you could limit it to 64 characters. Require that there
is an @ sign.

Then, on the server side, use prepared statements to store the email
address, as that will help protect against sql injection.

If you want to be more paranoid, on the server-side, just randomly
generate a number. Append that to the start of the email address, then
do XOR on the rest of the string, where the first letter (randomly
generated) is XORd with the second, the second with the third, and so
on.

This would help change the string enough to where the attack would
fail, as the hacker has no idea what you use on the server for the XOR.

Good luck. :)

Oct 28 '06 #4
Thank you! That clarifies my thinking about client-side validation. I
appreciate it.

Eric

Oct 29 '06 #5
e_*******@hotmail.com wrote:
I've read enough about email validation to know that the only real
validation is having a user respond to a confirmation message you've
sent them.
Yes. A syntactically valid address may not exist.
However, I want to store the address temporarily, so I want to make
sure what is entered is safe to work with.
How does validation help with that? A valid e-mail address that, if used
as-is, may play havoc with a SQL statement is still valid. What would
you tell the user? "Sorry, but your e-mail address would break my
database?" That's hardly reasonable.

What you need to focus on is making a valid address safe, not limiting
what is considered valid. The address will be included in SQL statements
as a quoted literal, yes? So, only other quotes should cause problems
and these can be escaped (two consecutive quotes, or a preceding
backslash, depending on DBMS).

The API for your database client library should include a function that
will escape input such that it won't interfere with an SQL statement.
Some query functions may avoid SQL injection by separating parameters
from the SQL statement itself, thereby preventing values from altering
the structure of that statement. The documentation for your DBMS will
provide more information.

[snip]

Mike
Oct 29 '06 #6
e_*******@hotmail.com wrote:
Thank you! That clarifies my thinking about client-side validation. I
appreciate it.

Eric
You can totally avoid SQL injection by using a PreparedStatement

(If you have the advantage of being able to use Java and JDBC)
Oct 29 '06 #7
I have read about prepared statements and escaping input, but have not
done that coding yet. I'll ask in the appropriate groups if I have
questions when I get to that point. Thanks again everyone, this really
helps to clarify what I should and should not be doing client-side.

Eric

Oct 29 '06 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Marlon | last post by:
How can modify this expression \w+(\w+)*@\w+(\w+)*\.\w+(\w+)* to validate multiple email address separator by comma and/or semicolon e.g. someone@somedomain.com;someone2@somedomain.com
4
by: VbUser25 | last post by:
Hi Please suggest i think i am doing something wrong. I am calling fucntion test from another function where i am performing all the validations.I want to validate the email id. this is the...
1
by: Jim Dornbush | last post by:
Has anyone seen an updated regex expression from Microsoft for the email validation expression so that single quotes are allowed? I've been using the canned regex for emails, but recently been...
4
by: roohbir | last post by:
Hello, I need help with the following code. Would be very grateful for comments. I have a function called emailValid, and it is supposed to alert the user if h/she leaves the field blank. I want...
10
by: ll | last post by:
Hi, I currently am using the following regex in js for email validation, in which the email addresses can be separated by commas or semicolons. The problem, however, lies in that I can type two...
1
by: vimal.424 | last post by:
Hello guys........ please tell me ............. I want to do email validation like i have a userid entered by user new user.so problem is that i have to do the validation when i'll click...
1
by: shwethatj | last post by:
My problem is lik this , I am trying to create a registration form using javascript for a HR website , but i dont know how to provide password validation i.e the password and confirmation password...
1
by: curi444 | last post by:
How can i improve email validation in the code below? <?php $con = mysql_connect("localhost", "root", ""); if(isset($_POST)) { $name=$_POST; $address=$_POST; $phno=$_POST;
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
0
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.