Thread

Hi

Can someone tell me whether the expressionengine syntax for things such as the contact form and the query tag are protected against SQL and CRLF injection attacks?

I am aware of the $DB->escape_str() function for SQL injection with PHP. Is there a similar function for CRLF injection attacks?

Thanks
Michael

CR/LF injection is really only a special kind of injection attack, and we are well aware of and defend against these. The only reliable way to so, really, is to always sanitize and never trust any kind of user input. EE does that. Also, talking about the query tag, eg: Only SELECT statements are allowed here, so it’s not possible to change your db that way.

Finally, CR/LF is not a particular concern with either PHP or SQL, since whitespace (linebreaks, spaces, tabs) are all allowed within the code without starting a new command.

Thanks Ingmar

Michael, instead of Carriage Return / Line Feed are you referring to CSRF, or Cross-site Request Forgery?  The Secure Forms feature of ExpressionEngine will provide you with CSRF protection.  As Ingmar stated, carriage returns and line feeds will not impact PHP/MySQL (with rare exception, not affecting ExpressionEngine).

Edit-add: Specifically, CRLF will not affect a query to MySQL, and the email headers for the contact form are written specifically by EE, not passing user input off directly to these.  Even if you use an open form with a To: field, its input is validated, split into email address, and assembled by ExpressionEngine apart from how the user keyed it in.