Geeklog Forums

Hey...I have a problem when somebody tries to register on my site, and they have an apostrophe in their email address:eg: registering with an email address of: test.this'email@mydomain.com, results in the following error message in the browser (and in the log)1064: You have an error in your SQL syntax near 'email@mydomain.com'' at line 1 SQL in question: SELECT COUNT(*) FROM gl_users WHERE email = 'test.this'email@mydomain.com'Anybody else have this problem (and a fix)?...deon

Hmm, Geeklog should actually prevent anyone from registering with such an email address ... bye, Dirk

An apostrophe is not a valid email character as far as I know. Hence, GL does not allow something it knows is invalid.

This looks like a serious security threat. If what you report is true, then geeklog is passing unchecked text from the user directly to MySQL. You must always always always check user text and escape special characters, like the apostrophe which to SQL signals the end of a text string. What if instead of your example you had sent this as the email address: "test'; drop database mysql;" or something similarly sinister? Bad things.

Geeklog produces this error message when you try to use a bad email address in registering. Go ahead and test it out yourself using his example. Error The email address provided does not appear to be a valid email address It's very interesting that you think malicious code such as dropping a database can be executed when added to the where part of a SQL count statement and used for comparison with emails stored in the database. Why don't you give us an example where someone can actually execute malicious code for particular SQL statement in the where clause? I don't believe it can be done but go ahead and give an example that really works.

OK - my geeklog is not stopping that then - where should I look to see if that part of the code is broken?

Is that in an RFC somewhere? Which one? ...deon

Hey Dirk, this error is caught in DB_count, BEFORE geeklog validates the email address via COM_isemail - should this change then? ...deon

Where or how did you manage to enter that email address in the first place? If I try, I get the "... does not appear to be a valid email address" message. bye, Dirk

I noticed that the search function also returns errors when there is an apostraphe. That might be a security risk as well. -Rob

Go ahead and post a working example where someone can execute malicious code in that particular SQL statement to support your allegation. If they can't, it's not a security risk.

Have a look on my site www.tuganz.org. Its on the "New User" (left block), username (anything), email (with an apostrophe) and I get the 1064 SQL error. In users.php, it is calling a SELECT COUNT(*) to see how many usernames and email addresses exist before it validates the email address. Let me know if you find out something is broke.. ...deon

Yep, that's a bug - it should check for a valid email address first. Fixed in CVS ... bye, Dirk

RFC 2822 http://tools.ietf.org/html/rfc2822#section-3.4.1 Apostrophes are allowed.