UBB.Developers Forums UBB.threads 6 V5.php Modifications Validating email addresses

The PHP version does not correctly filter out domains from the "bademail" file (only specific emails).

Also, there is no check to see if there is a valid email entered before registering the account. Someone could for example enter "nonsense" as the email, and the account would be registered. This fix checks not only valid email syntax, but also if the domain has an MX record, so nobody can enter [email protected].

This is a hack for adduser.php. Look for the comment "Let's see if the email is valid" and replace the following block:

// --------------------------------------
// Let's see if the email domain is valid
   $bademails = file ("$config[path]/filters/bademail");
   while (list($linenum,$line) = each($bademails)) {
      $line = chop($line);
      if ( (ereg("^\n",$line)) || (ereg("^\r",$line)) || (ereg("^#/",$line)) ) {
         continue;
      }
      if (ereg($Email,$line)) {
         $html -> not_right("$lang[BAD_EMAIL] $_.",$Cat);
      }
   }

With the following two blocks of code. The second part is kind of ugly, and I ended up getting rid of ereg function calls. I consider this "beta" code, so if you want to try it out at your own risk I'd appreciate any feedback.

// --------------------------------------
// Let's see if the email is valid (syntax/MX record)
   $ValidEmailAddy = FALSE;
   if (eregi("^[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]{2,3}$", $Email, $check)) {
      if ( getmxrr(substr(strstr($check[0], '@'), 1), $validate_email_temp) ) {
         $ValidEmailAddy = TRUE;
      }
   }
   if ($ValidEmailAddy == FALSE) {
      $html -> not_right("<b>$Email</b> is not a valid email address.",$Cat);
   }

// --------------------------------------
// Let's see if the email address/domain is valid (not filtered in "bademail")
   $domain = strtolower(substr(strstr($Email,'@'),1));
   $bademails = file ("$config[path]/filters/bademail");
   while (list($linenum,$line) = each($bademails)) {
      $line = strtolower(chop($line));
      if ( (ereg("^\n",$line)) || (ereg("^\r",$line)) || (ereg("^#/",$line)) ) {
         continue;
      }
      if ( (strcmp(strtolower($Email),$line))==0 || (strcmp($domain,$line))==0 ) {
         $html -> not_right("$lang[BAD_EMAIL] <b>$Email</b>",$Cat);
      }
   }

That would be an interesting feature and would get rid of those unusable accounts created on invalid email addresses. I've seen sevaral email validation scripts in php (using both rexexp's and getmxrr) on a page some time ago but can't remember the url. They were also discussing troubles encountered on some subdomains that were not validated by the form because they didn't have mx records but were able to receive mail anyway. I'll dig for it an post again when I find it.

I see what your saying there, but wouldn't it be simpler to just set config.inc.php to not allow new users to specify their password at the time of registration? Then they can only get their password to login if they supplied a valid address.

Problem with this is that it creates a "dead" account. W3T does not have account activation or approval. It is created immediately when signing up. I guess if you don't mind dead/phony accounts that never get used inflating your member list then it's not a problem.

That's exactly the ideea. If they submit a wrong address the account is unusable since they can't receive the password. Of course one could purge accounts that are X months old and solve the problem.
Also it would be nice to have a confirmation system in which the user has to click on an url having an unique hash in order to activate the account (or/and having an admin/moderator approve the new account before it can post -- i've seen cases where some users registered several 'clones' only to support some patethic remarks that nobody was agreeing with). Also, there have been recent talks here about making even more fields compulsory upon registration. I am aware however that a complex registration process may not be enjoyed by some users (keep in mind that one's ideea about 'easy' could mean 'difficult' for somebody else) so the whole thing should be kept to a minimum... as long as the (configurable) registration confirmation gets in ;)

Anyway, I've found the link for the email validating code I was talking about earlier -- look in the user contributed notes area.

EDIT: I've begun writing this post before busybee replied but got carried away with other stuff and didn't manage to finish it until now.