This question already has an answer here:
im looking for all the ways to prevent people from entering php code into text field at the php level. i have prevention from sql injection but do i not need a way to prevent people from say messing with my if statements?
$email=$_POST["email"];
if(filter_var($email, FILTER_VALIDATE_EMAIL))
{
//do suff
}
can a user not enter something like "not@a@valid@email.com = valid@email.com" as the email and it will be considered valid. I know this example isn't bad for the server but i'm sure others and come up with more deadly.
Or am i worrying about something that is never a problem?
</div>
This is not a problem, since the user data is the value of a string. It's no different from saying:
filter_var("die()", FILTER_VALIDATE_EMAIL)
That also doesn't kill your program. It's just text.
Just don't use eval. Not ever, but specifically not ever on user input.