• (nodebb)

    It's even better: It only checks for the index of the first occurrence of a dot. If you're having an email like [email protected], it will complain about not having a TLD. Which is even funnier because there's the extra validation whether the address has some dot coming before the broken TLD check.

  • (nodebb) in reply to Melissa U

    If you're looking at the "NO_TLD" condition, it uses strrpos, which returns the position of the last occurence.

  • (nodebb)

    Ah, someone else who hates john@uk

  • (nodebb)

    Since $errors is set and returned, all of the uses of $error would generate a warning, and someone is watching for warning messages, right?

    Right?

  • RLB (unregistered)

    And the most hilarious thing of all is that the right way to validate email addresses in PHP is to simply call the built-in filter_var($values['email'], FILTER_VALIDATE_EMAIL).

  • (nodebb) in reply to Dragnslcr

    Assuming there's no missing block of code that does something with the $error variable, the code here will create a new array.

  • TheMonkey (unregistered)

    Why not just use the built in PHP email validation?

    filter_var($error["email"], FILTER_VALIDATE_EMAIL)

  • (nodebb)

    There is often a misunderstand what the difference between validation and verification is.

    You validate if a mail is correct. It needs to be a string that has the '@' character in it, not on the first or last position and that's it. The next best way to validate a mail address is by a handshake.

    However verification of an email address is actually verifying the identity of the receiver (and therefore guaranteeing that the communication channel is verified). This begins with simple man-in-the-middle attack checks, up to full proof of identity handshakes (like sending back an agreed on identifier).

  • Toodlelew (unregistered) in reply to RLB

    But, FILTER_VALIDATE_EMAIL only performs validation "against the addr-spec syntax in RFC 822", and does not support "comments, whitespace folding, and dotless domain names".

    So FILTER_VALIDATE_EMAIL will sometimes produce false negatives, and exclude as valid email addresses that are indeed valid in practice.

  • John (unregistered)

    Allows multiple "@"

  • Joey (unregistered)

    I just want to point out that if you run a variable that isn't set through the empty function, it will act as you mentioned, but still throw a warning in the logs. Checking if it's set first like this avoids putting that extra cruft in the logs.

  • xtal256 (unregistered) in reply to Dragnslcr

    Ha, I also didn't notice that until you pointed it out. That's probably the most hilarious problem in the article, and falls under "the real WTF is PHP". Who would think it's a good idea to have a function named "strpos" (already a silly name) then have another function that just looks like a typo of the first.

  • (nodebb) in reply to miquelfire

    So not all of the uses of $error will generate warnings, but enough of them will. Of course, so should any IDE from the last 20 years.

  • (nodebb)

    Yeah, verification emails. Like on instagram. First, I found my email address had been used by someone to create an account. For sure not me. Then I "took my account back" using the password recovery. Now it's deleted. Instascam.

  • (nodebb) in reply to xtal256

    Of course that ugly naming convention precedes PHP by a couple of decades. The C standard library used "strchr" to find the first occurrence of a character in a string and "strrchr" to find the last occurrence.

    One could probably build an argument that "strpos" is a more intuitive description of the function than "strchr".

    On the early machines where C was developed, only the first 6 characters of an identifier (such as a subroutine name) were used by the linker...so library naming conventions had to be carefully crafted.

Leave a comment on “Where is the Validation At?”

Log In or post as a guest

Replying to comment #:

« Return to Article