Is there an equivalent to mysql_real_escape_string() for email injection? I have a form where the user submits their email. I am afraid that someone could insert a comma separated list of emails and use my site for spamming.
1
-
Shove it through <a href="regular-expressions.info/email.html">this regex</a>.Ignacio Vazquez-Abrams– Ignacio Vazquez-Abrams2010-01-27 11:17:51 +00:00Commented Jan 27, 2010 at 11:17
Add a comment
|
6 Answers
You can use filter_var to validate the e-mail address:
if (!filter_var($address, FILTER_VALIDATE_EMAIL)) {
// invalid e-mail address
}
7 Comments
Brian
Will that ensure that there is only one email address?
Gumbo
@Brian: Yes, it will return false if you test a string like
[email protected],[email protected].
Gordon
+1 for using a native function
Kirzilla
Does filter_var() allows to create custom validation flags? I'm thinking of applying it to check uniqueness of value in DB. Or it is not a good idea?
ESP32
Certainly technically the best answer. However FILTER_VALIDATE_EMAIL will tell the follwoing email address is valid: my$sd/[email protected] Most of my customers perfer to filter out such addresses, so I still give preg_match a chance.
|
Simply validate the field against a commonly found regular expression for single email address
function validate_email($e){
return (bool)preg_match("`^[a-z0-9!#$%&'*+\/=?^_\`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_\`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$`i", trim($e));
}
Comments
For those with older versions
/*
# PHP Email Validation for versions LESS than PHP 5.2.0)
*/
$strEmail= mysql_real_escape_string($_POST['email_e']);
if (!eregi("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,3})$", $strEmail)){
// valid email
} else {
// not a valid email
}
2 Comments
ESP32
eregi ist depreciated since PHP 5.3
TheBlackBenzKid
Thanks for the comment. Dully noted.
If your primary concern is, as the question states, to verify that users have not attempted to trick you into spamming for them by entering a comma-separated list of addresses, then isn't the obvious answer to simply check whether there are any commas in the user's input?
Comments
I found that good email validation is not that simple, so just decided to check if "@" and "." is in the string.
function email_valid($email){
/* EMAIL VALIDATION, CHECKS IF STRING CONTAINS "@" and "." */
if( strpos($email, "@") AND strpos($email, ".") ){
return TRUE;
}
else {
return FALSE;
}
}
P.S. if you don't use PDO prepared statements for writing to database, BE SURE to filter out symbols which may cause sql injection
3 Comments
patricia
You could at least be sure that the '.' position is bigger than the '@'. Still I think it's possible to create a better validation with regex expression.
Victor
Actually, email may even not contain a ".", e.g. "user@hostname" in intranet should be perfectly usable
Tomas
@Victor that's true. After a few years of programming since I originally answered the question, I came to the conclusion that it's not worth validating email addresses more than
<input type="email" />. What you care about is if the user can receive an email from you which might not be possible even with a valid email address so it's much simpler to just send a confirmation email instead of writing validation code.It would be simpler to check the total string length - ie local part max 64 + the @ + domain section max 255 characters = 320 characters, but then spamming short addresses would still be possible. I am currently researching email validation for my project and found this interesting article email validation which explains in-depth valid email addresses and the rfc2822. There they suggest a much simpler way to validate that would prevent comma separated lists being an effective form of spamming.
$isValid = true;
$atIndex = strrpos($email, "@");
if (is_bool($atIndex) && !$atIndex)
{
$isValid = false;
}
else
{
$domain = substr($email, $atIndex+1);
$local = substr($email, 0, $atIndex);
// ... work with domain and local parts
}
This simply breaks the email address down by finding the last @ sign and declares all that passes before it to be the local part of the address which has a limit of 64 characters. If there is no @ sign then strrpos will return a bolean value of false. I will be making use of this in my validation function.
