Valid Email Addresses - XSS and SQL Injection

Question

Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I couldn't find any information on this on the web.

The local-part of the e-mail address may use any of these ASCII characters:

• Uppercase and lowercase English letters (a–z, A–Z)
• Digits 0 to 9
• Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
• Character . (dot, period, full stop) provided that it is not the last character, and provided also that it does not appear two or more times consecutively (e.g. [email protected]).

http://en.wikipedia.org/wiki/E-mail_address#RFC_specification

I'm not asking how to prevent these attacks (I'm already using parametrized queries and escaping/HTML purifier), this is more a proof-of-concept.

The first thing that came to mind was 'OR [email protected], except that spaces are not allowed. Do all SQL injections require spaces?

Answer 1

Spaces are allowed if they are enclosed in quotes, however, so "'OR 1=1--"@gmail.com is a valid e-mail address. Also, it's probably less of a concern, but technically speaking, these are both valid e-mail addresses:

' BAD SQL STUFF -- <[email protected]>
[email protected] (' BAD SQL STUFF --)

Even if this wasn't possible, there's still no reason that you shouldn't be using paramaterized queries and encoding all user-inputted data displayed to users.