If I use the FILTER_SANITIZE_EMAIL function as shown below, is it necessary to check or strip special chars?

if (filter_var($sanitized_a, FILTER_VALIDATE_EMAIL)) {
    echo "This (a) sanitized email address is considered valid.\n";
}

    Not sure I understand the question... what "special chars" are you talking about? What makes a character "special?"

      FILTER_VALIDATE_EMAIL, you get true\false (valid not valid) if you removed anything from the email address string first, you would not be checking the original email, which seems pointless to me.

        As dagon points out, the SANITIZE_EMAIL filter is, IMHO, useless and should never be used.

        Otherwise, yes, all of those characters you mentioned could still pass validation. After all, those are valid characters to use in an e-mail address. For example, this e-mail address:

        "Test<'>Me"@mydomain.com

        is perfectly valid.

        EDIT: Also note that "stripping out" characters doesn't make sense either.

        If I told you my phone number was 123-4567, and you decided that you didn't like the numbers 3 or 7 and stripped them out, do you think the phone number "124-56" would still reach me? Same applies for e-mail addresses.

          " < > ' are valid in an email address ? Thats news to me.

          Would a preg match be better for this?

          function checkEmail($email) {
  if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])
  &#8618;*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/",
               $email)){
    list($username,$domain)=split('@',$email);
    if(!checkdnsrr($domain,'MX')) {
      return false;
    }
    return true;
  }
  return false;
            A-GB wrote:

            " < > ' are valid in an email address ?

            Indeed they are. The Wikipedia article entitled Email address gives a summary of the syntax that is valid according to the applicable RFCs.

            A-GB wrote:

            Would a preg match be better for this?

            No, because your regular expression pattern rejects valid e-mail addresses.

              bradgrafelman;10981148 wrote:

              As dagon points out, the SANITIZE_EMAIL filter is, IMHO, useless and should never be used.

              :eek:

              i never said dont use FILTER_VALIDATE_EMAIL, i use it for checking email on every project.

              i even go so far as to this on a certain system that is borked with some valid email addresses

              if(filter_var($email,FILTER_VALIDATE_EMAIL) != false){ //valid
		if( !preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/",$email)){
			$bad_email[]= array('bc'=>$bc,'companyname'=>$companyname,'email'=>$email,'note'=>'Technically valid but will cause problems');
			return false;
		}else{
			return true;
		}

                @: I wasn't talking about FILTER_VALIDATE_EMAIL at all in that part of my post. I was referring to your comment:

                dagon wrote:

                if you removed anything from the email address string first, you would not be checking the original email, which seems pointless to me.

                which is precisely what the FILTER_SANITIZE_EMAIL option does.

                dagon wrote:

                i even go so far as to this on a certain system that is borked with some valid email addresses

                That's unfortunate, since it rejects e-mail addresses such as 'brad+grafelman@mysite.com' (which angers me to no end when websites do that).

                  Sorry dragon, I don't do oop yet :/

                  Would this work...

                  '/^[_a-z0-9-][^()<>@,;:\\"[] ]*@([a-z0-9-]+.)+[a-z]{2,4}$/i'

                    yeah i got confused, sorry,
                    and yes it sucks that i have to tell people their valid email address is not allowed. It has to write back to a legacy accounting system written around 10 years ago, by people that did not know what was allowed as an email address

                      @: I'm confused, why are you not simply using the FILTER_VALIDATE_EMAIL filter?

                        A-GB;10981155 wrote:

                        Sorry dragon, I don't do oop yet :/

                        there's no OOP in my post.

                          I don't know what to use anymore.

                            A-GB;10981159 wrote:

                            I don't know what to use anymore.

                            How about the code you posted in the first post of this thread?

                              if (filter_var($sanitized_a, FILTER_VALIDATE_EMAIL)) {
    echo "This (a) sanitized email address is considered valid.\n";
}

                              This is sufficient to check/validate email address and prevent SQL injection?

                                A-GB wrote:

                                This is sufficient to check/validate email address

                                Yes.

                                A-GB wrote:

                                and prevent SQL injection?

                                No.

                                  So what do you suggest to acheive both?

                                    Since an e-mail address is a string, you can prevent SQL injections using the same method as you would for any other string (e.g. [man]mysql_real_escape_string/man if using the 'mysql' library/extension).

                                      function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

$_POST['emailaddress'] = clean($_POST['emailaddress']);

// Validate Email Address
if (filter_var($_POST['emailaddress']), FILTER_VALIDATE_EMAIL)) {
	// Email Address Validates
	if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['emailaddress'])) {
		// Email Address Is Valid
	} else {
		// Email Address Is Not Valid

} 
} else {
	// Email Address Does Not Validate
		$error_array[] = 'The email address is not valid.';
		$error_flag = true;
}

                                      ???