Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am using filter_var
and a function to check if the email is valid
function checkEmail($email)
{
return filter_var($email, FILTER_VALIDATE_EMAIL);
}
This is only thing I do. In registration for example i validate email with this function then insert in database (prepared statement used ofc) But is it essential to use sanitisation in this function as well? Is there any “VALID” but “DANGEROUS” email that could cause problem…?
FILTER_VALIDATE_EMAILmakes sure an e-mail address is valid. It does nothing to do with eliminating “dangerous” characters – ie characters that have special meanings in some contexts – from the string.So input validation is all well and good, and necessary for checking your data conform to business rules, but it doesn’t absolve you from escaping special characters when you inject the value into another context.
So any string you drop into an HTML page, you must continue to use
htmlspecialchars()on, and any string you drop into a literal in a MySQL query, you must continue to usemysql_real_escape_string()(or, better, use parameterised queries as in mysqli or PDO, to avoid having to stop string into queries). Output escaping must always happen when building content, regardless of what input validation you have done.Certainly.
a&a@b.comwould break when injected into HTML;a%a@b.comwould break when injected into a URL component;a'a@b.comwould break when injected into an SQL string literal. Context-dependent output escaping is vital; trying to remove all characters that might be troublesome in some context would mean getting rid of practically all punctuation, which isn’t really much good.