0

We all know email address verification is a touchy subject, there are so many opinions on the best way to deal with it without encoding for the entire RFC. But since 2009 its become even more difficult and I haven't really seen anyone address the issue of IDN's yet.

Here is what I've been using:

preg_match(/^[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,6}\z/i)

Which will work for most email addresses but what if I need to match a non Latin email address? e.g.: bob@china.中國, or bob@russia.рф

Look here for the complete list. (Notice all the non Latin domain extensions at the bottom of the list.)

Information on this subject can be found here and I think what they are saying is these new characters will simply be read as '.xn--fiqz9s' and '.xn--p1ai' on the machine level but I'm not 100% sure.

If it is, does that mean the only change I need to consider making in my code the following? (For domain extensions like .travelersinsurance and .sandvikcoromant)

preg_match(/^[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,20}\z/i)

NOTICE: This is not related to the discussion found on this page Using a regular expression to validate an email address

Community
  • 1
  • 1
Vince
  • 910
  • 2
  • 13
  • 29

3 Answers3

4

Consider: Every time you make up your own new regex without validating addresses according to the complete RFC spec, you're just making the situation for using "exotic" email addresses on the web worse. You're inventing some new ad-hoc sub or superset of the official RFC spec; that means you will either have false positives or false negatives or both, you will deny people to use their actual addresses because your regex doesn't account for them correctly, or you will accept addresses which are actually invalid.

Add to that that even if the address is syntactically valid, that still doesn't mean a) the address actually (still) exists, b) belongs to that user or c) can actually receive email. In the grant scheme of things, validating the syntax is an extremely minor concern.

If you're going to validate the syntax at all, either do a very rough general check which is sure to not reject any valid addresses (e.g. /.+@.+/), or validate according to all RFC rules; don't do some in-between half-assed sort-of-strict-but-not-really validation you just came up with.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • would `уникум@из.рф` be considered a valid email according to the RFC spec? – oldboy Jul 29 '19 at 07:51
  • It must be according to some RFC, otherwise it wouldn't be a usable email address. (And you'd need to follow the IDNA spec first too…) – deceze Jul 29 '19 at 08:05
  • also, how do you suggest validating *global* first names and surnames? do you think [this guy is correct to say names shouldnt be validated at all?](https://stackoverflow.com/a/2385811/7543162) – oldboy Jul 29 '19 at 21:17
  • any idea how to modify your email regex (`/.+@.+/`), so that its no more than 50 characters total, but a minimum of 1 on the left side of `@` and a minimum of `4` on the right side? something like `^.{1,}?@.{4,}?$`, but capping the total characters somehow – oldboy Jul 30 '19 at 05:00
  • First of all: *why?* How did you come up with the specific number *50*? Did you listen to anything I've said?! Secondly, ask a new question for this. Thirdly, if it's for an `input` element, use its `maxlength` attribute. If it's for server-side validation, use a separate length check; it doesn't all need to be rolled into one regex (though it's probably possible). – deceze Jul 30 '19 at 07:30
  • because i dont want to accept email addresses longer than 50 chars. 50 chars is reasonably long enough. i mean im not building a social network or anything lol. i did get a pure regex solution using a negative lookahead: `^(?!.{51,}).{1,}?@.{4,}?$` – oldboy Jul 31 '19 at 00:02
2

I'm gonna stick with the tried and true suggestion that you should send them a verification email. No need for a fancy regex that will need to be updated time and time again. Just assume they know their email address and let them enter it.

That's what I've always done when this situation comes up. If anything I would make them enter their email twice. It'll free you up to spend more time on the important parts of your site/project.

Iwnnay
  • 1,933
  • 17
  • 18
-1

Here is what I eventually came up with.

preg_match(/^[\pL\pM*+\pN._%+-]+@[\pL\pM*+\pN.-]+\.[\pL\pM*+]{2,20}\z/u)

This uses Unicode regular expressions like \pL, \pM*+ and \pN to help me deal with characters and numbers from any language.

\pL Any kind of letter from any language, upper or lower case.

\pM*+ Matches zero or more code points that are combining marks. A character intended to be combined with another character (e.g. accents, umlauts, enclosing boxes, etc.).

\pN Any number.

The expression above will work perfectly for normal email addresses like me@mydomain.com and cacophonous email addresses like a.s中3_yÄhমহাজোটেরoo文%网+d-fελληνικά@πyÄhooαράδειγμα.δοκιμή.

It's not that I don't trust people to be able to type in their own email addresses but people do make mistakes and I may use this code in other situations. For example: I need to double check the integrity of an existing list of 10,000 email addresses. Besides, I was always taught to NOT trust user input and to ALWAYS filter.

UPDATE

I just discovered that though this works perfectly when tested on sites like phpliveregex.com and locally when parsing a normal string for utf-8 content it doesn't work properly with email fields because browsers converting fields of that content type to normal latin. So an email address like bob@china.中國, or bob@russia.рф does get converted before being received by the server to bob@china.xn--fiqz9s, or bob@russia.xn--p1ai. The only thing I was really missing from my original filter was the inclusion of hyphens from the domain extention.

Here is the final version:

preg_match('/^[a-z0-9%+-._]+@[a-z0-9-.]+\.[a-z0-9-]{2,20}\z/i');
Vince
  • 910
  • 2
  • 13
  • 29
  • This regex does not allow all possible valid email addresses. See http://stackoverflow.com/questions/4816424/are-single-quotes-legal-in-the-name-part-of-an-email-address – deceze Jul 28 '16 at 11:52