Relationship Graph View Issue Dependency Graph
related to child of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
0012866phpList 3 applicationSubscriber Importpublic01-11-12 20:40
Reportercometbus 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.10.5 
Target VersionFixed in Version 
Summary0012866: Strict format checking of email and other fields prevents numerous imports, possible for mysql injection attacks
DescriptionTrying to import a list of 10,000+ users, I have much trouble, 4 hours or so.

I wrote a script in php to parse my list using your pattern:
$pattern =
"^[\&\'-_.[:alnum:]]+@((([[:alnum:]]|[[:alnum:]][[:alnum:]-]*[[:alnum:]])\.)+(ac|ad|ae|aero|af|ag|ai|al|am|an|ao|aq|ar|arpa|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|biz|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cat|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|com|coop|cr|cs|cu|cv|cx|cy|cz|de|dev|dj|dk|dm|do|dz|ec|edu|ee|eg|eh|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gov|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|home|hr|ht|hu|id|ie|il|in|info|int|io|iq|ir|is|it|jm|je|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|loc|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mil|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|museum|mv|mw|mx|my|mz|na|name|nc|ne|net|nf|ng|ni|nl|no|np|nr|nt|nu|nz|om|org|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|pro|ps|pt|pw|py|qa|quipu|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)|(([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])\.){3}([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5]))$";

  if(eregi($pattern, $email))
    return(1);
  else
    return(0);
}

The toruble I see with this pattern is two fold, first, new TLD's will get added, so you have to release an update too often. Just reduce the test to be domain of 2-4 letters in length.

Second issue is that numerous characters are not valid, such as # , etc. These are RFC valid email chars, even a @ is valid, in that user\@foo@domain.com is valid, so long as you escape it, or quote it.

At any rate, just print a message to screen about which lines are in error, and let me go about my import.

Further, ' and " are allowed, both of which will toss SQL errors. While the risk is low, I could potentially cause damage knowing that.

I enjoyed my evening of splitting up a file into 100 line chunks :-)
TagsNo tags attached.

Activities

user1822

17-03-08 20:24

  ~0042994

2.10.6 will have an updated is_email() function. We will do some testing to see if this solves this issue.

hexley

18-03-08 00:37

reporter   ~0043004

I would also suggest all variables that are part of an insert be sanitized, a badly formed email address has potential to `drop`