views:

312

answers:

3

For PHP what is the best email validation using preg, NOT ereg because it's deprecated/removed.

I don't need to check if the website exists (it's not like maximum security).

I've found many ways with ereg but they (obviously) aren't good practice.

+7  A: 

I suggest you use the FILTER_VALIDATE_EMAIL filter:

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
    //valid
}

You can also use its regular expression directly:

"/^(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD"

But in that case, if a bug is found in the regular expression, you'll have to update your program instead of just updating PHP.

Artefacto
Keep in mind that an email can also contain these characters: ` ' / *`. So this validation doesn't make it DB safe.
Jan.
filter_var() is new for me. Is FILTER_VALIDATE_EMAIL good?
Marwelln
the filter_var method doesn't work too well.
Julian Young
@Jul Care to explain?
Artefacto
Sorry, I jumped the gun. I was copying and pasting an email address into my field and the input was taking some invisible line breaks which caused the validation to fail!
Julian Young
+2  A: 

Unless you want to use a very very long regular expressions you'll run into valid email addresses that are not covered (think Unicode). Also fake email addresses will pass as valid, so what is the point of validating if you can simply write [email protected] and get away with it?

The best way to validate email addresses is to send a confirmation email with a link to click. This will only work if the email address is valid: easy, and no need to use regex.

nico
simply as I said, it's not like maximum security
Mark
A reasonable Developer will alway check a given Adress for validity BEFORE attempting to send an email to the "string". So this is not an argument. But Doupble-opt-in should be done anyway - which was not the question.
Jan.
@Jan.: So, what if my email is àèìòù@mydomain.com and your preemptive check prevents me to register to your site? Just send a confirmation email and you're set, no need to check for validity before and risking to block valid email addresses.
nico
@nico: Your example is not valid according to RFC2821 and RFC2822. Both state clearly that only 7bit ASCII characters are allowed.. and not even *any* of those. I better drop such a wrong address than to allow a spammer to abuse by server via some magic header injections. Also, Wikipedia states the following regarding internationalization of the local part: "When EAI is standardized, users will likely have a localized address in a native language script or character set, as well as an ASCII form for communicating with legacy systems or for script-independent use"... Regards.
Jan.
continuing: The RFCs about international e-mail addresses are very likly to be changed before they're going to be the new standard. So it makes no sense to implement this work-in-progress.. IMHO.
Jan.
@Jan.: you're missing my point. e-mail pre-validation does not give any added value to either you, nor to the user. You cannot tell if the email address is real, just if it is well formed (so it does not -at all- protect you from spam), and the user has a (very small, but still present) chance of getting a legitimate email address refused if your regexp is not exaustive (see the link in my answer).
nico
please read about header injections with email to understand what I'm talking about.
Jan.
I'm sorry... how's regexp email validation going to prevent header injection at all?
nico
+2  A: 

Best email validation is to send a email for verification.
All other methods are the same useless crap. Not worth to choose the best

Col. Shrapnel