I am working with a form validation script; I am testing it first and all seems to work fine except for the email validation.

This is a snippet of the script dealing with the email validation:

else if(! eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email ))
        $_SESSION['reg']['email']="Please enter valid email address.";

For example, if a User enters the following in the email field, an error message is displayed, obviously: test1

If they enter test1@, an error is displayed.

If they enter test1@gmail.c an error is displayed.


If they enter test1@gmail.co OR, for example, test1@gmail.cop it is validated as true - No error message displayed.

This makes absolutely no sense to me.

This is from that snippet, specifically handling User input of their email address


I am not familiar with the above at all and am not sure what to do to remedy this issue.

You can view and try this live if you wish: http://www.redlinedown.com/jQuery/registration/index.php

Thank you in advance for any help!


I believe, from what I can see is that the validation requires a . followed by between two or three characters (\.[a-z]{2,3}) so email addresses like: test1@gmail.com would valid true, whereas email addresses containing a . with only one character, would throw up an error.

There are some pre-built functions: http://www.php.net/manual/en/filter.examples.validation.php which would filter this information for you.

Hope this answers your question, slightly.

You validation rule is working as expected. As mentioned by phorce, this part of the rule (\.[a-z]{2,3}) indicates that a period is required and then 2 or three characters are required and the characters that are acceptable are from lowercase a-z. So an email address ending in gmail.co is definately acceptable. There are two and three letter top level domains out there so this rule seems appropriate to me. If you only want to allow certain top level domains then your rule would have to be modified to something like this (off the top of my head here...) \.(co|com|net|org|etc)

In addition: the eregi() function is weak, an attacker can submit extra code by using a null byte character. For example:


    $email = $_GET['email'];

    if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email))
        echo "<strong>$email</strong> is correct";
        echo "<strong>$email</strong> is wrong";

And submit these links:

# first

# second

# third

The first will return true as expected, the second false as expected because we are trying to submit two mails at the same time, the third instead will return true and will allow to insert two emails instead of one.

More information: