-1

Is there a way to escape dangerous characters that can be exploited to malform emails sent through web forms? I am making a system with a signup script and want to protect the email field from being injected with a huge mailing list.

nanofarad
  • 40,330
  • 4
  • 86
  • 117
  • 1
    I think you're looking for an email Regex. It will make sure emails are 'something@somethineselse.com/net/org/etc.' and won't allow for mailing lists. http://komunitasweb.com/2009/03/10-practical-php-regular-expression-recipes/ – mawburn Jul 06 '12 at 16:27
  • Use an email sending library, it will take care of this sort of things for you – Arnaud Le Blanc Jul 06 '12 at 16:28
  • @ObsessiveFOSS What exactly is your question? Bad emails or bad characters? – Nadav S. Jul 06 '12 at 16:28
  • possible duplicate of [PHP email validation](http://stackoverflow.com/questions/3613589/php-email-validation) – mario Jul 06 '12 at 16:28
  • Bad characters. It's a duplicate. Asking for close. – nanofarad Jul 06 '12 at 16:29
  • @ObsessiveFOSS use `addslashes()` or `htmlspecialchars()` – Nadav S. Jul 06 '12 at 16:30
  • possible duplicate of [Is there a php library for email address validation?](http://stackoverflow.com/questions/161342/is-there-a-php-library-for-email-address-validation) – tripleee Jul 06 '12 at 16:43

2 Answers2

-1

I believe htmlspecialchars() should do the trick.

mikegreiling
  • 1,160
  • 12
  • 21
  • 1
    Does it catch commas? Or other weird things that can be exploited? – nanofarad Jul 06 '12 at 16:27
  • You'll also want to consider combining that with `strip_tags` and `mysql_real_escape_string`. – Bob Davies Jul 06 '12 at 16:29
  • I suppose I don't know enough about email formatting to understand why commas would be dangerous, but if you want a more catch-all function `htmlentities` will convert *all* characters, not just the usual suspects. See also: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars – mikegreiling Jul 06 '12 at 16:30
  • Disregard my answer... I read your question as relating to sending emails, not verifying email handles... – mikegreiling Jul 06 '12 at 16:32
  • No this will produce semicolons, like in "&", which will prevent the email from sending properly. – gavanon Mar 28 '19 at 17:05
-1

Disregard my other answer. I read your question wrong.

Here's a function I've been using to verify an email conforms to RFC standards:

preg_match("/^([a-z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_`{|}~-]+)*)@((?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9]))?$/i",$email)
mikegreiling
  • 1,160
  • 12
  • 21
  • Like most other email validation regexes, it allows invalid email addresses, and permits invalid ones. – tripleee Jul 06 '12 at 16:40