Menu
Community /Pin to ProfileBookmark[*]
[*]
[/list] 
@NogDogDec 03.2006 — #This is the email address format validator that I use. [url=http://iamcal.com/publish/articles/php/parsing_email/]This link[/url] explains in some detail the whys and wherefores of it.
[RESOLVED] secure mail() validation, verification & confirmation
Yes! I read the sticky and visited PHP.NET’s manual on the [url=http://www.php.net/manual/en/function.mail.php]mail()
It was great information but now I am worried about security and am moving very slowly out of worry and cannot seem to write any more PHP until I know it’s secure…
Users on my site will be creating for themselves new accounts and one of the fields will require them to provide an email address. If the email is invalid, their account will still be created yet their account status in the database will be marked as VALIDATING and the user will have the option of re-sending the validation email. I want to dispatch confirmation emails to my users. The email itself comes with a dynamically created email confirmation link for them to click so-as-to confirm the user’s email address when they click it and log the confirmation in the database and hence successfully verifying their email address.
Three things about the mail() function bother me:
[list=1][*]
The mail() function will dispatch multiple emails if comma seperated. (not sure if %2C will also work as a separator)
If no domain is detected in the email address, then the mail() function doesn’t complain and sends it to my localhost.
Mail Injection e.g. %0A
I’ve seen many regular expressions out there to validate email addresses yet I’m not a mail injection guru nor do I understand very well what characters need to be escaped and/or unescaped. I’m not one to simply copy-and-paste someone else’s possibly faulty regular expression unless I know it’s full-proof. All I am doing at this point is validating email addresses — nothing fancy at this point nor will the user have control over the email’s title and message, so there is no worry to validate those. I come to you guys due to my lack of knowledge with email security.
I am in the middle of building a secure regular expression and could use some assistance before I move on and try to clean & organize my system’s coding. I could also use some additional information where to use rawurldecode, rawurlencode, urldecode, urlencode.
Sign in
to post a comment2 Comments(s) ↴
0
@NogDogDec 03.2006 — #This is the email address format validator that I use. [code=php]
/**
bool isValidEmail(str email)
validate that email address is valid format
kudos to http://iamcal.com/publish/articles/php/parsing_email/
*/
function isValidEmail($email) {
$qtext = '[^\x0d\x22\x5c\x80-\xff]';
$dtext = '[^\x0d\x5b-\x5d\x80-\xff]';
$atom = '[^\x00-\x20\x22\x28\x29\x2c\x2e\x3a-\x3c'.
'\x3e\x40\x5b-\x5d\x7f-\xff]+';
$quoted_pair = '\x5c\x00-\x7f';
$domain_literal = "\x5b($dtext|$quoted_pair)*\x5d";
$quoted_string = "\x22($qtext|$quoted_pair)*\x22";
$domain_ref = $atom;
$sub_domain = "($domain_ref|$domain_literal)";
$word = "($atom|$quoted_string)";
$domain = "$sub_domain(\x2e$sub_domain)*";
$local_part = "$word(\x2e$word)*";
$addr_spec = "$local_part\x40$domain";
return(preg_match("!^$addr_spec$!", $email));
} // end isValidEmail()
[/code]