View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0012866||phpList 3 application||Subscriber Import||public||07-01-08 15:46||01-11-12 20:40|
|Target Version||Fixed in Version|
|Summary||0012866: Strict format checking of email and other fields prevents numerous imports, possible for mysql injection attacks|
|Description||Trying to import a list of 10,000+ users, I have much trouble, 4 hours or so.|
I wrote a script in php to parse my list using your pattern:
The toruble I see with this pattern is two fold, first, new TLD's will get added, so you have to release an update too often. Just reduce the test to be domain of 2-4 letters in length.
Second issue is that numerous characters are not valid, such as # , etc. These are RFC valid email chars, even a @ is valid, in that user\@email@example.com is valid, so long as you escape it, or quote it.
At any rate, just print a message to screen about which lines are in error, and let me go about my import.
Further, ' and " are allowed, both of which will toss SQL errors. While the risk is low, I could potentially cause damage knowing that.
I enjoyed my evening of splitting up a file into 100 line chunks :-)
|Tags||No tags attached.|
|related to||0015632||resolved||michiel||TLDs missing from is_email() validation|
|related to||0015207||resolved||Email validation doesn't seem to work for the local part of an email address|
|related to||0006782||resolved||michiel||Importing Invalid E-mails|
|related to||0013672||new||how often to retry sending to an address that fails, and give up|
|2.10.6 will have an updated is_email() function. We will do some testing to see if this solves this issue.|
||I would also suggest all variables that are part of an insert be sanitized, a badly formed email address has potential to `drop`|