Reputation: 3050
Sanitise or validate email php
I am using filter_var
and a function to check if the email is valid
function checkEmail($email)
{
return filter_var($email, FILTER_VALIDATE_EMAIL);
}
This is only thing I do. In registration for example i validate email with this function then insert in database (prepared statement used ofc) But is it essential to use sanitisation in this function as well? Is there any "VALID" but "DANGEROUS" email that could cause problem...?
Upvotes: 2
Views: 638
Answers (4)
Reputation: 536399
FILTER_VALIDATE_EMAIL makes sure an e-mail address is valid. It does nothing to do with eliminating "dangerous" characters - ie characters that have special meanings in some contexts - from the string.
So input validation is all well and good, and necessary for checking your data conform to business rules, but it doesn't absolve you from escaping special characters when you inject the value into another context.
So any string you drop into an HTML page, you must continue to use htmlspecialchars() on, and any string you drop into a literal in a MySQL query, you must continue to use mysql_real_escape_string() (or, better, use parameterised queries as in mysqli or PDO, to avoid having to stop string into queries). Output escaping must always happen when building content, regardless of what input validation you have done.
Is there any "VALID" but "DANGEROUS" email that could cause problem...?
Certainly. a&[email protected] would break when injected into HTML; a%[email protected] would break when injected into a URL component; a'[email protected] would break when injected into an SQL string literal. Context-dependent output escaping is vital; trying to remove all characters that might be troublesome in some context would mean getting rid of practically all punctuation, which isn't really much good.
Upvotes: 5
Reputation: 2504
According to Wikipedias entry on email addresses there are several special chars allowed in mail addresses such as ' and %. So you should either sanitize or use prepared statements.
Upvotes: 0
Reputation: 174967
Validation and sanitation are 2 different actions.
Validation is done to ensure the user input is in the correct format you require. While sanitation is done to prevent a malicious user from damaging your database/application.
Both actions are usually required.
You can skip sanitation if you use prepared statements using MySQLi or PDO.
Upvotes: 1
Reputation: 55334
I would sanitize it before validating it just to be safe, because if the email address contains line feeds, it will also pass validation, which could cause problems (security bulletin).
return filter_var(
filter_var(
$email,
FILTER_SANITIZE_EMAIL
),
FILTER_VALIDATE_EMAIL);
You could also use trim() to remove trailing whitespace and newlines.
Upvotes: 0
Related Questions
- Creating a mechanism to validate emails
- PHP data sanitization in emails
- php filter validate email
- PHP Email Sanitization Filter
- Validate Email PHP
- How to sanitze user input in PHP before mailing?
- PHP Mail sanitisation techniques
- PHPMailer sanitization
- php Form to Email sanitizing
- How to weed out bad emails (in php)?