0

I am creating contact form and there I have input field, type email. In the future, I am planing to save this email and all other data into database. Therefore I have a question on how to validate that email properly in PHP?

-It has to accept utf-8 and all international individual characters that email can have.

For now, I have made two different email validations.

First one is made by using filter_var() but this one doesn't allow international characters to be used. (Therefore I have removed it.)

Second, I have used custom regex '/^[^\s@]+@[^\s@]+.[^\s@]+$/ui' and this one is allowing use of international characters but it also allows '/* and other characters which are threat for possible SQL injection.

I am also aware, that there is an option to send email to a user to verify that email but I am wondering, is there any verification method which I can use to validate email internationally and to prevent SQL injection?

Maybe encrypting/decrypting email? Maybe PDO should be enough?

Botić Denis
  • 76
  • 8
  • 1
    Preventing SQL injection doesn't happen by ensuring you have a valid email address, it happens by using [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky May 09 '17 at 18:26
  • 1
    these are two different problems...email validation is actually pretty complicated if you want to support all valid emails per specs (see [this question](https://stackoverflow.com/questions/201323/using-a-regular-expression-to-validate-an-email-address)). For SQL Injection prevention, you should use parameterized queries and prepared statements ([this question](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)) – JCOC611 May 09 '17 at 18:28
  • This means that PDO should secure it, right? – Botić Denis May 09 '17 at 18:28
  • _"This means that PDO should secure it, right?"_ Only if you use it correctly. :) – Alex Howansky May 09 '17 at 18:29

3 Answers3

0

Regex to validate non-standard email address:

^([\p{L}\.\-\d]+)@([\p{L}\-\.\d]+)((\.(\p{L})      {2,63})+)$

Original source How to validate non-english (UTF-8) encoded email address in Javascript and PHP?

Community
  • 1
  • 1
Ali Niaz
  • 312
  • 3
  • 10
0

As recommended by brasofilo and since I dont have any code from your project to work with:

<?php
 iconv_set_encoding("internal_encoding", "UTF-8");

$subject = "Testmail — Special Characters";
$msg = "Hi there,\n\nthis isn’t something easy.\n\nI haven’t thought that it’s that complicated!";

mail(utf8_decode($to), utf8_decode($subject), utf8_decode($msg), utf8_decode($from)."\nContent-Type: text/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\n");?>

php mail special characters utf8

Community
  • 1
  • 1
ThatOneGuyThatDontGetIt
  • 5
  • 1
  • 6
  • I have tried that already and this is not working well for international characters. Also I have study this on google and it seems like developers are 50/50 about using this. It is good becasue You can update it with PHP and not like regex which You need to update it on your own if there is a bug. – Botić Denis May 09 '17 at 19:07
  • I don't have an issue with email content not accepting utf-8 characters instead I am just validating html form input field value. Type of the input field is email. – Botić Denis May 09 '17 at 19:17
0

In case someone is looking for an answer to this question, Now after two years of working as a developer I would agree with Alex Howansky comment:

Preventing SQL injection doesn't happen by ensuring you have a valid email address, it happens by using prepared statements with bound parameters.

Botić Denis
  • 76
  • 8