I am creating contact form and there I have input field, type email. In the future, I am planing to save this email and all other data into database. Therefore I have a question on how to validate that email properly in PHP?
-It has to accept utf-8 and all international individual characters that email can have.
For now, I have made two different email validations.
First one is made by using filter_var() but this one doesn't allow international characters to be used. (Therefore I have removed it.)
Second, I have used custom regex '/^[^\s@]+@[^\s@]+.[^\s@]+$/ui' and this one is allowing use of international characters but it also allows '/* and other characters which are threat for possible SQL injection.
I am also aware, that there is an option to send email to a user to verify that email but I am wondering, is there any verification method which I can use to validate email internationally and to prevent SQL injection?
Maybe encrypting/decrypting email? Maybe PDO should be enough?
In case someone is looking for an answer to this question, Now after two years of working as a developer I would agree with Alex Howansky comment:
Preventing SQL injection doesn't happen by ensuring you have a valid email address, it happens by using prepared statements with bound parameters.
Regex to validate non-standard email address:
^([\p{L}\.\-\d]+)@([\p{L}\-\.\d]+)((\.(\p{L}) {2,63})+)$
Original source How to validate non-english (UTF-8) encoded email address in Javascript and PHP?
As recommended by brasofilo and since I dont have any code from your project to work with:
<?php
iconv_set_encoding("internal_encoding", "UTF-8");
$subject = "Testmail — Special Characters";
$msg = "Hi there,
this isn’t something easy.
I haven’t thought that it’s that complicated!";
mail(utf8_decode($to), utf8_decode($subject), utf8_decode($msg), utf8_decode($from)."
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
");?>