Home/ Questions/Q 7537923
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T06:58:45+00:00

I understand this has been discussed before but since this post in late 2010

  • 0

I understand this has been discussed before but since this post in late 2010 and other discussions around that time when issues were raised – Does FILTER_VALIDATE_EMAIL make a string safe for insertion in database? – I have tried some of the situations described, such as using single quotes and the ` characters in an email form where I am using FILTER_VALIDATE_EMAIL and it has blocked them from being entered into the database.

Have recent releases of PHP fixed earlier issues and is it safe?

I’m tempted to also use mysql_real_escape_string(), presumably the two functions can be used in parallel without any conflict?

Here is the mailing list code that I am using to put addresses into the database

    <?php
// connects the database access information this file
include("mailing_list_include.php");

// the following code relates to mailing list signups only
if (($_POST) && ($_POST["action"] == "unsub")) {
// trying to ubsubscribe; validate email addresses
if ($_POST["email"] == "") {
    header("Location: mailing_list_remove.php");
    exit;

} else {
    // connect to database
    doDB();

    // filtering out anything that isn't an email address
    if ( filter_var(($_POST["email"]), FILTER_VALIDATE_EMAIL)  == TRUE) {
        echo '';
    } else {
        echo 'Invalid Email Address';
        exit;
    }

    // check that email is in the database
    emailChecker($_POST["email"]);

    // get number of results and do action
    if (mysqli_num_rows($check_res) < 1) {
        // free result
        mysqli_free_result($check_res);

        // print failure message
        $display_block = "We couldn't find ".$_POST["email"].". No action has therefore been taken.";

    } else {
        // get value of ID from result
        while ($row = mysqli_fetch_array($check_res)) {
            $id = $row["id"];
        }

        // unsubscribe the address
        $del_sql =  "DELETE FROM subscribers
                    WHERE id = '".$id."'";
        $del_res =  mysqli_query($mysqli, $del_sql)
                    or die(mysql_error($mysqli));
        $display_block = " Your email address, ".$_POST["email"].", is unsubscribed!";
    }
    mysqli_close($mysqli);
}
}
?>
<html>
<?php echo "$display_block";?>
</html>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The filter_var flag FILTER_VALIDATE_EMAIL will do what it says = Validate value as e-mail, meaning if its not an email it will return false.

    You might be looking for FILTER_SANITIZE_EMAIL which will (Remove all characters, except letters, digits and !#$%&’*+-/=?^_`{|}~@.[] )

    or
    FILTER_SANITIZE_STRING will Strip tags, optionally strip or encode special characters.

    Tho I don’t recommend w3schools it has a list of filter_var flags http://www.w3schools.com/php/php_ref_filter.asp

    Also as others have said, use PDO’s prepared query’s tobe safe, you can find a great pdo example here: http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html#10 which will explain a few things and there is also a simple pdo CRUD (Create Retrieve Update Delete) class here: http://www.phpro.org/classes/PDO-CRUD.html

    good luck…

    • 0