- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It's even better: It only checks for the index of the first occurrence of a dot. If you're having an email like [email protected], it will complain about not having a TLD. Which is even funnier because there's the extra validation whether the address has some dot coming before the broken TLD check.
Admin
If you're looking at the "NO_TLD" condition, it uses strrpos, which returns the position of the last occurence.
Admin
Ah, someone else who hates
john@uk
Admin
Since $errors is set and returned, all of the uses of $error would generate a warning, and someone is watching for warning messages, right?
Right?
Admin
And the most hilarious thing of all is that the right way to validate email addresses in PHP is to simply call the built-in
filter_var($values['email'], FILTER_VALIDATE_EMAIL)
.Admin
Assuming there's no missing block of code that does something with the $error variable, the code here will create a new array.
Admin
Why not just use the built in PHP email validation?
filter_var($error["email"], FILTER_VALIDATE_EMAIL)
Admin
There is often a misunderstand what the difference between validation and verification is.
You validate if a mail is correct. It needs to be a string that has the '@' character in it, not on the first or last position and that's it. The next best way to validate a mail address is by a handshake.
However verification of an email address is actually verifying the identity of the receiver (and therefore guaranteeing that the communication channel is verified). This begins with simple man-in-the-middle attack checks, up to full proof of identity handshakes (like sending back an agreed on identifier).
Admin
But, FILTER_VALIDATE_EMAIL only performs validation "against the addr-spec syntax in RFC 822", and does not support "comments, whitespace folding, and dotless domain names".
So FILTER_VALIDATE_EMAIL will sometimes produce false negatives, and exclude as valid email addresses that are indeed valid in practice.
Admin
Allows multiple "@"
Admin
I just want to point out that if you run a variable that isn't set through the empty function, it will act as you mentioned, but still throw a warning in the logs. Checking if it's set first like this avoids putting that extra cruft in the logs.
Admin
Ha, I also didn't notice that until you pointed it out. That's probably the most hilarious problem in the article, and falls under "the real WTF is PHP". Who would think it's a good idea to have a function named "strpos" (already a silly name) then have another function that just looks like a typo of the first.
Admin
So not all of the uses of $error will generate warnings, but enough of them will. Of course, so should any IDE from the last 20 years.
Admin
Yeah, verification emails. Like on instagram. First, I found my email address had been used by someone to create an account. For sure not me. Then I "took my account back" using the password recovery. Now it's deleted. Instascam.
Admin
Of course that ugly naming convention precedes PHP by a couple of decades. The C standard library used "strchr" to find the first occurrence of a character in a string and "strrchr" to find the last occurrence.
One could probably build an argument that "strpos" is a more intuitive description of the function than "strchr".
On the early machines where C was developed, only the first 6 characters of an identifier (such as a subroutine name) were used by the linker...so library naming conventions had to be carefully crafted.