Email (validation,verification and email injection)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Email (validation,verification and email injection)

Post by kkonline »

I am using a simple tell a friend type of a thing which send the current url to the specified email address

I have three things concerns for it's successful working
1> email validation -- using regex
2> email verification -- if a email is valid that does not mean is exist... so some techniques to check it. But on this forum, someone said checking this is blocked by few sites as hacking attempt and blacklist

3> prevention from email injection.

I searched the forum and most of the posts deal only with the first point. Can we discuss the methods and codes relating the next two points
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

1: I use this regex:

Code: Select all

if(!preg_match("#^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9- ]+)*(\.[a-z]{2,3})$#", $_POST['email_address']))
{
	//invalid email
}
2: No idea.

3: Replacing new lines should prevent most header injections.

Code: Select all

str_replace(array("\r", "\n", "\r\n"), '', $_POST['email_address'])
SwiftMailer probably has some checks against header injections (I say that tentavily, as I vaguely recall reading about it).
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

You may try to check whether the domain exists and has mail server:

Code: Select all

if (shell_exec("dig ".$domain." MX | grep 'ANSWER: 0,'") == "")
{
     echo "Domain exists and has a mail server!";
}
else
{
     echo "Domain doesn't exist or doesn't have a mail server !";
}
That can be used with Linux OS.
There are 10 types of people in this world, those who understand binary and those who don't
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Post by kkonline »

VladSun wrote:You may try to check whether the domain exists and has mail server:

Code: Select all

if (shell_exec("dig ".$domain." MX | grep 'ANSWER: 0,'") == "")
{
     echo "Domain exists and has a mail server!";
}
else
{
     echo "Domain doesn't exist or doesn't have a mail server !";
}
That can be used with Linux OS.
I read somewhere that checking for such mx server existence is not a good practice and many sites consider this as hacking attempt or something.

Secondly will checking for mx server make the processing slow?
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Post by califdon »

Have you searched for information online? There's a lot of good tutorials and sample scripts. Try:
http://www.devshed.com/c/a/PHP/Email-Ad ... -with-PHP/
http://www.phpeasystep.com/workshopview.php?id=24
http://forum.codecall.net/php-tutorials ... ation.html
http://www.phpbuilder.com/board/showthr ... t=10315424
...and on and on.

Be aware that even determining that a mail server is running at a given domain name doesn't insure that there is a particular user account there. In short, there's really no foolproof way to determine that an email address is 100% valid. Even if a user account exists, there's no assurance that it is active and that anyone ever checks it.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

kkonline wrote: 1. I read somewhere that checking for such mx server existence is not a good practice and many sites consider this as hacking attempt or something.
2. Secondly will checking for mx server make the processing slow?
1. No, it's not true.
2. Time consumed for this operation is equal to the time of the DNS query - lets say 100ms :)
califdon wrote: Be aware that even determining that a mail server is running at a given domain name doesn't insure that there is a particular user account there. In short, there's really no foolproof way to determine that an email address is 100% valid. Even if a user account exists, there's no assurance that it is active and that anyone ever checks it.
I agree.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

scottayy wrote:SwiftMailer probably has some checks against header injections (I say that tentavily, as I vaguely recall reading about it).
Indeed, it does lossless header injection prevention. People "strip" out newlines etc which removes information that may actually be supposed to be there. Swift Mailer instead encodes these invalid characters into valid ones which the client can interpret.
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

Post by claws »

thanks a lot.

learnt a way to check email exists or not..
Post Reply