Viewed   71 times

I use the filter_var PHP function to validate email address when a user signs up to my site.

I use this code from the post:

$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);

then later I do:

if(!$email) {
  // return to the form 
else {
  // send registration info

now when I var_dump($email), I get the output:

string(23) "user."name""

I would like to know why this does not return false. I think the double quotes are not acceptable, so why does PHP say it’s valid?



It is a valid email address :

A quoted string may exist as a dot separated entity within the local-part or it may exist when the outermost quotes are the outermost chars of the local-part (e.g. abc."defghi"[email protected] or "abcdefghixyz" are allowed. abc"defghi"[email protected] is not; neither is abc"def"[email protected]).

Tuesday, November 15, 2022

Try using your ISP's or company's server as a relay. Use a sending address which exists, so that validation can be done on it, and bounces sent back to it. You may want to setup a separate domain for verification such as You could then send the validation message from [email protected]. Replace application and example as appropriate.

You may also want to look at

Sunday, December 11, 2022

Basically if your mailbox is an IMAP you could reference these functions via PHP (if enabled, check your phpinfo()) and read that specific mailbox ( Run a cronjob every 10 minutes maybe (I say 10minutes as I dont see many people doing this), loop thru all the emails (if any), run your logic to verify that email account, send them an email to say its been verified, then delete that email item from your account so you are not creating a massive backlog of emails.

Its risky way of wanting someone to verify but this is probably one way of doing it.

Thursday, December 15, 2022

There is no point. Even if you can verify that the email address is syntactically valid, you'll still need to check that it was not mistyped, and that it actually goes to the person you think it does. The only way to do that is to send them an email and have them click a link to verify.

Therefore, a most basic check (e.g. that they didn't accidentally entered their street address) is usually enough. Something like: it has exactly one @ sign, and at least one . in the part after the @:


You'd probably also want to disallow whitespace -- there are probably valid email addresses with whitespace in them, but I've never seen one, so the odds of this being a user error are on your side.

If you want the full check, have a look at this question.

Update: Here's how you could use any such regex:

import re

if not re.match(r"... regex here ...", email):
  # whatever

Python ?3.4 has re.fullmatch which is preferable to re.match.

Note the r in front of the string; this way, you won't need to escape things twice.

If you have a large number of regexes to check, it might be faster to compile the regex first:

import re

EMAIL_REGEX = re.compile(r"... regex here ...")

if not EMAIL_REGEX.match(email):
  # whatever

Another option is to use the validate_email package, which actually contacts the SMTP server to verify that the address exists. This still doesn't guarantee that it belongs to the right person, though.

Sunday, August 28, 2022

An email address must not exceed 254 characters.

This was accepted by the IETF following submitted erratum. A full diagnosis of any given address is available online. The original version of RFC 3696 described 320 as the maximum length, but John Klensin subsequently accepted an incorrect value, since a Path is defined as

Path = "<" [ A-d-l ":" ] Mailbox ">"

So the Mailbox element (i.e., the email address) has angle brackets around it to form a Path, which a maximum length of 254 characters to restrict the Path length to 256 characters or fewer.

The maximum length specified in RFC 5321 states:

The maximum total length of a reverse-path or forward-path is 256 characters.

RFC 3696 was corrected here.

People should be aware of the errata against RFC 3696 in particular. Three of the canonical examples are in fact invalid addresses.

I've collated a couple hundred test addresses, which you can find at

Sunday, November 27, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :