-1

I am creating contact form and there I have input field, type email. In the future, I am planing to save this email and all other data into database. Therefore I have a question on how to validate that email properly in PHP?

-It has to accept utf-8 and all international individual characters that email can have.

For now, I have made two different email validations.

First one is made by using filter_var() but this one doesn't allow international characters to be used. (Therefore I have removed it.)

Second, I have used custom regex '/^[^\s@]+@[^\s@]+.[^\s@]+$/ui' and this one is allowing use of international characters but it also allows '/* and other characters which are threat for possible SQL injection.

I am also aware, that there is an option to send email to a user to verify that email but I am wondering, is there any verification method which I can use to validate email internationally and to prevent SQL injection?

Maybe encrypting/decrypting email? Maybe PDO should be enough?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Botić Denis
  • 82
  • 9
  • 1
    Preventing SQL injection doesn't happen by ensuring you have a valid email address, it happens by using [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky May 09 '17 at 18:26
  • 1
    these are two different problems...email validation is actually pretty complicated if you want to support all valid emails per specs (see [this question](https://stackoverflow.com/questions/201323/using-a-regular-expression-to-validate-an-email-address)). For SQL Injection prevention, you should use parameterized queries and prepared statements ([this question](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)) – JCOC611 May 09 '17 at 18:28
  • This means that PDO should secure it, right? – Botić Denis May 09 '17 at 18:28
  • _"This means that PDO should secure it, right?"_ Only if you use it correctly. :) – Alex Howansky May 09 '17 at 18:29

4 Answers4

0

Regex to validate non-standard email address:

^([\p{L}\.\-\d]+)@([\p{L}\-\.\d]+)((\.(\p{L})      {2,63})+)$

Original source How to validate non-english (UTF-8) encoded email address in Javascript and PHP?

Community
  • 1
  • 1
Ali Niaz
  • 312
  • 3
  • 10
0

In case someone is looking for an answer to this question, Now after two years of working as a developer I would agree with Alex Howansky comment:

Preventing SQL injection doesn't happen by ensuring you have a valid email address, it happens by using prepared statements with bound parameters.

Botić Denis
  • 82
  • 9
0

Though I'm a little bit late this could help someone who still wants to check more.

if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
  // invalid email address
}

This will only validate if the email format is correct or not. But if you want to use more than that, like if this email really exists or not. You need to use some mail validation API

Here is the code that I'm currently using on my website and it's working fine.

    if(isEmialExist("EMAIL_ADDRESS_THAT"))
{
    echo "email exists, real email";
}
else
{
    echo "email doesn't exist";
}


function isEmialExist($emailAddress)
{
    if (!filter_var($emailAddress, FILTER_VALIDATE_EMAIL)) {
     return false; //invalid format
    }
    //now check if email really exist
    $postdata = http_build_query(array('api_key' => 'YOUR_API_KEY', 'email' => $emailAddress ));
    $url = "https://email-validator.com/api/v1.0/json";
    $opts = array('http' => array( 'method'  => 'POST', 'header'  => 'Content-Type: application/x-www-form-urlencoded', 'content' => $postdata ));
    
    $context  = stream_context_create($opts);
    $result = file_get_contents($url, false, $context);
    $data = json_decode($result, false);
    return $data->is_exists;
}

You can find more details here. https://email-validator.com/tutorial

Deluar Hossen
  • 595
  • 4
  • 6
-1

As recommended by brasofilo and since I dont have any code from your project to work with:

<?php
 iconv_set_encoding("internal_encoding", "UTF-8");

$subject = "Testmail — Special Characters";
$msg = "Hi there,\n\nthis isn’t something easy.\n\nI haven’t thought that it’s that complicated!";

mail(utf8_decode($to), utf8_decode($subject), utf8_decode($msg), utf8_decode($from)."\nContent-Type: text/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\n");?>

php mail special characters utf8

Community
  • 1
  • 1
ThatOneGuyThatDontGetIt
  • 3
  • 1
  • 6
  • I have tried that already and this is not working well for international characters. Also I have study this on google and it seems like developers are 50/50 about using this. It is good becasue You can update it with PHP and not like regex which You need to update it on your own if there is a bug. – Botić Denis May 09 '17 at 19:07
  • I don't have an issue with email content not accepting utf-8 characters instead I am just validating html form input field value. Type of the input field is email. – Botić Denis May 09 '17 at 19:17