Jump to content

Recommended Posts

The best way to validate an email is to send an email to it.

 

Yes, that is true, but that's a different kind of validation.  You want to validate the format to make sure someone isn't trying to enter malicious code.  You then want to validate it as an email address user has access for various other reasons, like identity confirmation (not some spambot), communication (newsletters, etc..), security (password resets, etc..). 

 

Sure, you could look at it as "if I request email confirmation they have to access email address and therefore it has to be valid format anyway so why bother with the extra step in format validation?"  Your script doesn't wait for the user to validate the email address before putting the info into the database.  It puts the info (including the email address) into the database right then and there, along with the validation code and some kind of "on/off switch" column specifying whether email was verified or not.  When user gets the email and clicks the link or enters in validation code or whatever you do to confirm it, the "on/off switch" column is switched to signify that it has been validated.  That's more or less how it goes. 

 

But the point is that you can't depend on email format validation by virtue of getting a response from user from something in the email, you would already have that email address in your database.  So if you go that route, you would be entering data into your database whose format has not been validated.  That leaves a hole open for people to attack your site through the email form field.

 

You could then argue "Okay why not just use mysql_real_escape_string on it (and everything else) and call it a day?" Yes, you could.  But that only prevents potential sql injection (most of the time, not always).  Beyond that, it does nothing as far as you controlling what format you want users to submit data in.  For instance, perhaps you only want to accept .com email address for some reason.  mysql_real_escape_string does nothing to validate that.  Or say you want users to be able to pick an alphanumeric username.  How does mysql_real_escape_string enforce that?  It doesn't.

 

You need to use other things to validate the format anyway.  So if you are for instance, already checking to make sure that a user's name is only alphanumeric with some regex, then mysql_real_escape_string becomes superfluous.  There won't be any potential quotes to escape because your regex would have caused it to fail already.

 

And going back to email validation.  What if user typoed his email address? Forgot the dot in frank@blahcom?  He would never get his email confirmation because of that typo, which you could have caught by checking that it was at least the right format.

 

 

Link to comment
https://forums.phpfreaks.com/topic/141284-check-email/#findComment-739804
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.