Using eregi validation with mysql_real_escape_string

th88

Hi there

I am using this function to do a very simple email validation:

function checkEmail($email)
         {
            if(eregi("^[a-zA-Z0-9_]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$]", $email))
            {
              return FALSE;
            }
         }

        $email   = mysql_real_escape_string($_POST['email']);

     if(checkEmail($email) == FALSE)
     {
        echo "<p class=\"thankyou\">E-mail entered is not valid</p>";
     }
     else
     {
         $comp_name = "Great competition!";
        $query = " INSERT INTO comps (email, comp_name) ".
        " VALUES ('$email','$comp_name')";
        mysql_query($query) or die('Error ,query failed');
        echo "<p class=\"thankyou\">Thanks for entering!</p>";
     }

However, it always returns FALSE, even if it's a valid email. I think it's the way I'm using mysql real escape string with it. Can anyone point me in the right direction? Basically I want to use mysql real escape string as well as being able to validate the input (albeit in a simple manner)

etully

First of all, I think you want your function to return TRUE, not FALSE. That could be the entire problem right there.

Second, there's no need to do the mysql_real_escape_string BEFORE you run the checkEmail() function. Let's say that they did include some SQL injection. There's no harm in performing an eregi on dangerous code. It would just fail anyway. And besides, if the mysql_real_escape_string DID change a valid email into something screwy, then the valid email won't pass the checkEmail() test... so you really don't want to do the mysql_real_escape_string first.

Third, your eregi pattern is so picky that no SQL injection could get through. If the email DOES pass the checkEmail function, then there's really no reason to use the mysql_real_escape_string. It can't hurt to use it, it's just unnecessary.

Fourth, the ereg functions are going to go away soon. Use preg_match instead.

Fifth, your eregi pattern is not really correct.
This email is vaild but would fail your checkEmail function: obama@whitehouse.gov.us
This email is invaild but would pass your checkEmail function: bones@foobar.123

But other than that, you're on the right track.

nrg_alpha

I would not recommend using ereg, as POSIX (Portable Operating System Interface - of which ereg is part of) will not be included within the core of PHP as of version 6. I would instead urge you to learn PCRE (Perl Compatible Regular Expressions - think preg) instead.

As for email validation, this is a very slippery slope. If not set up properly, you can loose some valid emails. I point to this thread for advice.

Weedpacket

Also, look at using [man]filter_input[/man] to filter user input, which has an email filter (I don't know how strict/loose it is).