Validate received values before using them

Question

Does it make any sense to validate a received parameter which will be used for example only as a comparator?

Let's say I received an email address from the user and I want to check whether it exists in the database.

I could firstly check if it is really an email address and then try to find it in the database. E.g:

$email = trim($_POST["email"]);

if (isEmail($email)) {
   if (isRegisteredEmail($email)) { // Will execute a SQL query
      echo "Email address registered";
   }
   else {
      echo "Email address is not registered";
   }
}
else {
   echo "This is not an email address";
}

Or I could just simply do something like this:

if (isRegisteredEmail(trim($_POST["email"])) { // Will execute a SQL query
   echo "Email address registered";
}
else {
   echo "Email address is not registered";
}

I believe this is probably more an UX problem but...

It depends how your system is done and what an 'email' address is used for. Personally, I'd do validation on the e-mail, yes. — ʰᵈˑ, Dec 23 '13 at 22:07

score 0 · Answer 1 · answered Dec 23 '13 at 22:17

0

Actually it depends on the requirements coming from your client "who pays for your work".

But generally yes, you should validate everything. If you don't care what your user sends to you lots of strange things can happen. I mean in your case for example multiple email addresses could be inserted in the database, and if this is a newsletter application the given user could receive multiple mails. This can be annoying and unprofessional. They can think this is a spam. Generally it is not good to do anything which can look like spamming. They can put your server to blacklists denying valid mail communication also.

Otherwise input validation is the first line of defend in your system. You can deny lots of different attacks if you validate everything properly. (different kind of injection techniques, cross site scripting, etc.)

answered Dec 23 '13 at 22:17

Lajos Veres

13,595
7
43
56

You misunderstood. As I mentioned above in my first comment if I am going to save some e-mail I am checking "Is it really email...?" ,but what if I only need to know if this mail is in my database or not? Do I have to check again if it is email and then "SELECT COUNT() FROM table WHERE email = ?;" or I will select every received string (Of course secure using prepared statements) – 0101 Dec 23 '13 at 22:41
Depending on your situation it can worth to check if the input looks really like an email or not. You can save a db query. And probably you also have to care about sql injections in this case also. A 3. aspect of your issue can be to standardize email addresses coming from user user. I mean remove spaces, make them lowercased. The point is to avoid quasi-duplications. – Lajos Veres Dec 24 '13 at 20:40

score 0 · Answer 2 · answered Dec 23 '13 at 22:18

How are you going to check if it is registered?

If you are using an SQL query to check, and if $email is coming from an untrusted source, then it should be filtered to protect against SQL injection attacks before using it for any SQL query.

So in this case yes, you must verify it to be a valid or reasonably valid email address before calling SQL to see if it is registered.

If you are looking up to see if it is registered via a short list, like from your initialization file then no, you don't need to check it.

I am using SQL prepared statements so it doesn't matter. My problem is if I have to check that "yes that's email address" or "that's user's nickname" and not only empty string (For instance) — 0101, Dec 23 '13 at 22:36

score 0 · Answer 3 · answered Dec 23 '13 at 22:19

You cannot actually check if an email is valid (as in it belongs to that person or it exists) but you can check if it conforms to the email standard. I would do this using the filter_var function as shown below;

 if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
      // Email conforms
 } else {
      // Email does not conform
 }

To combat verifying ownership of an email you could ask a user to validate it first by sending a unique code to the email address which they registered the account with. In order for them to activate the account they would need this unique code which of course would be sent to their email.

Another way is to send a random password to the email in order for them to login to the account for the first time, and then force them to change it on their first login.

Something such as below is how it would all work

$email = $_POST['email'];

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
      // Mysql query here for email matches
      // Check row count
      if ($rowCount) {
          echo 'Email is taken';
      } else {
          // Sign up the email sending them a random code
          echo 'We have sent a unique code to your email address which you need to enter at the address...';
      }
 } else {
      // Email does not conform
      echo 'The email you supplied is invalid';
 }

Of course you need to store the code you send the email address in a database. I usually store it in the amount of times logged in as a minus value and use that to compare it saving yourself a database column.

Hope this helped.

Thanks for you comment ,but I know all those things, I am asking something different. One more explanation. If I only need to know if email address is taken or not (I am gonna use SELECT...), should I check if user has sent me really email address or can I check in DB every value? And it doesn't have to be email address it can be nickname and in this case is important to check for example if(!empty($_GET["nickname"])) and then select...? — 0101, Dec 23 '13 at 22:48

Kavinda Prabhath · Answer 4 · 2017-07-09T04:51:56.143

0

If you want to check valid email format, you can use HTML 5 email field easily.

< input type="email" name="email" >

http://www.w3schools.com/html/tryit.asp?filename=tryhtml5_input_type_email

It will check for format something like name@something.com

or you have to use regular expression. this may help How to validate an Email in PHP?

edited Jul 09 '17 at 04:51

answered Dec 23 '13 at 22:20

Kavinda Prabhath

323
3
12

Yes ,but what if I will not send email/data via HTML form? – 0101 Dec 23 '13 at 22:32
If you only have to check if email address is registered, then you no need do check whether it is a valid email or not. you can use mysql_real_escape_string for sanitize the input. – Kavinda Prabhath Dec 24 '13 at 00:32

Validate received values before using them

4 Answers4