Check Email

[unidox]

I am trying to check to see is in the right format when a user registers, I have this code:

 

if (preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {

return true;

}

 

But it never works, whats wrong?

[dawsba]

found this on php.net

 

<?php

$pattern = '/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*\@([a-z0-9])' .
'(([a-z0-9-])*([a-z0-9]))+' . '(\.([a-z0-9])([-a-z0-9_-])?([a-z0-9])+)+$/i';

echo preg_match ($pattern, "email-address-to-validate@host.tld");

?> 

[.josh]

You have a bunch of spaces in your regex that shouldn't be there.

[Prismatic]

The best way to validate an email is to send an email to it.

[saradrungta]

if(!preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$/", $email)){
echo "invalid";
}
else{
echo $email;
}

[.josh]

The best way to validate an email is to send an email to it.

 

Yes, that is true, but that's a different kind of validation.  You want to validate the format to make sure someone isn't trying to enter malicious code.  You then want to validate it as an email address user has access for various other reasons, like identity confirmation (not some spambot), communication (newsletters, etc..), security (password resets, etc..). 

 

Sure, you could look at it as "if I request email confirmation they have to access email address and therefore it has to be valid format anyway so why bother with the extra step in format validation?"  Your script doesn't wait for the user to validate the email address before putting the info into the database.  It puts the info (including the email address) into the database right then and there, along with the validation code and some kind of "on/off switch" column specifying whether email was verified or not.  When user gets the email and clicks the link or enters in validation code or whatever you do to confirm it, the "on/off switch" column is switched to signify that it has been validated.  That's more or less how it goes. 

 

But the point is that you can't depend on email format validation by virtue of getting a response from user from something in the email, you would already have that email address in your database.  So if you go that route, you would be entering data into your database whose format has not been validated.  That leaves a hole open for people to attack your site through the email form field.

 

You could then argue "Okay why not just use mysql_real_escape_string on it (and everything else) and call it a day?" Yes, you could.  But that only prevents potential sql injection (most of the time, not always).  Beyond that, it does nothing as far as you controlling what format you want users to submit data in.  For instance, perhaps you only want to accept .com email address for some reason.  mysql_real_escape_string does nothing to validate that.  Or say you want users to be able to pick an alphanumeric username.  How does mysql_real_escape_string enforce that?  It doesn't.

 

You need to use other things to validate the format anyway.  So if you are for instance, already checking to make sure that a user's name is only alphanumeric with some regex, then mysql_real_escape_string becomes superfluous.  There won't be any potential quotes to escape because your regex would have caused it to fail already.

 

And going back to email validation.  What if user typoed his email address? Forgot the dot in frank@blahcom?  He would never get his email confirmation because of that typo, which you could have caught by checking that it was at least the right format.