PHP email validation

Question

For PHP what is the best email validation using preg, NOT ereg because it's deprecated/removed.

I don't need to check if the website exists (it's not like maximum security).

I've found many ways with ereg but they (obviously) aren't good practice.

score 80 · Accepted Answer · answered Aug 31 '10 at 22:13

I suggest you use the FILTER_VALIDATE_EMAIL filter:

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
    //valid
}

You can also use its regular expression directly:

"/^(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD"

But in that case, if a bug is found in the regular expression, you'll have to update your program instead of just updating PHP.

Keep in mind that an email can also contain these characters: ` ' / *`. So this validation doesn't make it DB safe. — Jan., Aug 31 '10 at 22:35
Link to source code is dead. Latest link is [here](https://github.com/php/php-src/blob/master/ext/filter/logical_filters.c#L601). Regex is also changed. — Pang, Jun 24 '15 at 07:10

score 3 · Answer 2 · edited May 23 '17 at 11:54

3

Unless you want to use a very very long regular expressions you'll run into valid email addresses that are not covered (think Unicode). Also fake email addresses will pass as valid, so what is the point of validating if you can simply write test@test.com and get away with it?

The best way to validate email addresses is to send a confirmation email with a link to click. This will only work if the email address is valid: easy, and no need to use regex.

edited May 23 '17 at 11:54

Community

1
1

answered Aug 31 '10 at 22:22

nico

50,859
17
87
112

simply as I said, it's not like maximum security – Mark Lalor Sep 01 '10 at 00:34
4

A reasonable Developer will alway check a given Adress for validity BEFORE attempting to send an email to the "string". So this is not an argument. But Doupble-opt-in should be done anyway - which was not the question. – Jan. Sep 01 '10 at 08:43
@Jan.: So, what if my email is àèìòù@mydomain.com and your preemptive check prevents me to register to your site? Just send a confirmation email and you're set, no need to check for validity before and risking to block valid email addresses. – nico Sep 01 '10 at 13:14
1

@nico: Your example is not valid according to RFC2821 and RFC2822. Both state clearly that only 7bit ASCII characters are allowed.. and not even *any* of those. I better drop such a wrong address than to allow a spammer to abuse by server via some magic header injections. Also, Wikipedia states the following regarding internationalization of the local part: "When EAI is standardized, users will likely have a localized address in a native language script or character set, as well as an ASCII form for communicating with legacy systems or for script-independent use"... Regards. – Jan. Sep 01 '10 at 16:13
continuing: The RFCs about international e-mail addresses are very likly to be changed before they're going to be the new standard. So it makes no sense to implement this work-in-progress.. IMHO. – Jan. Sep 01 '10 at 16:20
@Jan.: you're missing my point. e-mail pre-validation does not give any added value to either you, nor to the user. You cannot tell if the email address is real, just if it is well formed (so it does not -at all- protect you from spam), and the user has a (very small, but still present) chance of getting a legitimate email address refused if your regexp is not exaustive (see the link in my answer). – nico Sep 01 '10 at 19:15
2

please read about header injections with email to understand what I'm talking about. – Jan. Sep 02 '10 at 16:01
I'm sorry... how's regexp email validation going to prevent header injection at all? – nico Sep 02 '10 at 16:25

Gaurav Gupta · Answer 3 · 2013-07-06T08:48:51.213

0

function check_email($check) {
$expression = "/^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$/";
if (preg_match($expression, $check)) {
    return true;
} else {
    return false;
} 
}

Call it in if() condition as below example :

if(!check_email($_REQUEST['ContactEmail'])){
  $register_error ="Enter the correct email address!<br />";
  $reg_error=1; 
}

edited Jul 06 '13 at 08:48

answered May 14 '13 at 12:56

Gaurav Gupta

478
6
10

can anyone tell me what is the problem in this code bcz a person down the voting. It's working fine. – Gaurav Gupta May 29 '15 at 07:30
It wasn't me that down voted but.... that is not a correct to properly filter e-mail addresses, the correct and complete regex an be found here: http://www.ex-parrot.com/~pdw/Mail-RFC822-Address.html Secondly using the PHP built in FILTER_VALIDATE_EMAIL would be the correct/best way to filter an e-mail address – twigg Jun 30 '16 at 13:48

PHP email validation

3 Answers3

Linked

Related