Page 1 of 1

Email (validation,verification and email injection)

Posted: Fri Sep 07, 2007 10:59 am
by kkonline
I am using a simple tell a friend type of a thing which send the current url to the specified email address

I have three things concerns for it's successful working
1> email validation -- using regex
2> email verification -- if a email is valid that does not mean is exist... so some techniques to check it. But on this forum, someone said checking this is blocked by few sites as hacking attempt and blacklist

3> prevention from email injection.

I searched the forum and most of the posts deal only with the first point. Can we discuss the methods and codes relating the next two points

Posted: Fri Sep 07, 2007 11:04 am
by s.dot
1: I use this regex:

Code: Select all

if(!preg_match("#^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9- ]+)*(\.[a-z]{2,3})$#", $_POST['email_address']))
{
	//invalid email
}
2: No idea.

3: Replacing new lines should prevent most header injections.

Code: Select all

str_replace(array("\r", "\n", "\r\n"), '', $_POST['email_address'])
SwiftMailer probably has some checks against header injections (I say that tentavily, as I vaguely recall reading about it).

Posted: Fri Sep 07, 2007 11:12 am
by VladSun
You may try to check whether the domain exists and has mail server:

Code: Select all

if (shell_exec("dig ".$domain." MX | grep 'ANSWER: 0,'") == "")
{
     echo "Domain exists and has a mail server!";
}
else
{
     echo "Domain doesn't exist or doesn't have a mail server !";
}
That can be used with Linux OS.

Posted: Fri Sep 07, 2007 11:30 am
by kkonline
VladSun wrote:You may try to check whether the domain exists and has mail server:

Code: Select all

if (shell_exec("dig ".$domain." MX | grep 'ANSWER: 0,'") == "")
{
     echo "Domain exists and has a mail server!";
}
else
{
     echo "Domain doesn't exist or doesn't have a mail server !";
}
That can be used with Linux OS.
I read somewhere that checking for such mx server existence is not a good practice and many sites consider this as hacking attempt or something.

Secondly will checking for mx server make the processing slow?

Posted: Fri Sep 07, 2007 12:44 pm
by califdon
Have you searched for information online? There's a lot of good tutorials and sample scripts. Try:
http://www.devshed.com/c/a/PHP/Email-Ad ... -with-PHP/
http://www.phpeasystep.com/workshopview.php?id=24
http://forum.codecall.net/php-tutorials ... ation.html
http://www.phpbuilder.com/board/showthr ... t=10315424
...and on and on.

Be aware that even determining that a mail server is running at a given domain name doesn't insure that there is a particular user account there. In short, there's really no foolproof way to determine that an email address is 100% valid. Even if a user account exists, there's no assurance that it is active and that anyone ever checks it.

Posted: Fri Sep 07, 2007 3:40 pm
by VladSun
kkonline wrote: 1. I read somewhere that checking for such mx server existence is not a good practice and many sites consider this as hacking attempt or something.
2. Secondly will checking for mx server make the processing slow?
1. No, it's not true.
2. Time consumed for this operation is equal to the time of the DNS query - lets say 100ms :)
califdon wrote: Be aware that even determining that a mail server is running at a given domain name doesn't insure that there is a particular user account there. In short, there's really no foolproof way to determine that an email address is 100% valid. Even if a user account exists, there's no assurance that it is active and that anyone ever checks it.
I agree.

Posted: Sat Sep 08, 2007 4:17 am
by Chris Corbyn
scottayy wrote:SwiftMailer probably has some checks against header injections (I say that tentavily, as I vaguely recall reading about it).
Indeed, it does lossless header injection prevention. People "strip" out newlines etc which removes information that may actually be supposed to be there. Swift Mailer instead encodes these invalid characters into valid ones which the client can interpret.

Posted: Sun Sep 09, 2007 12:35 am
by claws
thanks a lot.

learnt a way to check email exists or not..