I am working on one of my projects where users don\'t need to register or login

Question

I am working on one of my projects where users don't need to register or login to post an advert, but they have to provide email so that a confirmation link will be sent to their email address for further actions.

I was reading how poor email validation is useless and that invalid emails still can pass through most of the checking functionality. But what can go wrong if the user's email is not valid? If user's email address is //bob"the+powerfull/@mail.com and this returns as valid email through validator, what's going to happen?

Why is a simple validation is not enough? If I don't store emails in db and just sending an email confirmation? Can't I just use preg_match or filter_var? If the user uses an email like I already mentioned, do you even want users like that to visit your page at all?

Explanation / Answer

There's no need for excessive validation.

An invalid e-mail address is just an invalid e-mail address, and any decent SMTP software can handle this. In fact, if you're using a library like PHPMailer (which you should), it will check the address before it even passes it to the actual SMTP service.

Of course one might come up with a scenario where an entirely broken backend somehow chokes on invalid addresses. But then it might choke on specially crafted valid addresses as well. You'd rather fix the backend then try to work around the problem on the frontend.

Sure, basic validation makes sense, because it provides defense-in-depth, increases usability and reduces the amount of unnecessary work. But going beyond filter_var() isn't necessary. By the way, I'm not aware of any bugs in this function. It's more restrictive than required (e. g. comments aren't allowed), but it should indeed catch all invalid addresses.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.