Page 1 of 1

Email check during registration

Posted: 20 Mar 2013, 16:05
by anthony
Hi,
when someone registers in multiple users mode, no check is done on the email address, which leads to registrations with bogus addresses (@gmail;com for example). Could this be added to the code ?

Code: Select all

diff --git a/register.php b/register.php
index 12b1aa0..3c24ae2 100644
--- a/register.php
+++ b/register.php
@@ -254,6 +254,14 @@
                        return;
                }
 
+               if (!preg_match("/^[_a-zA-Z0-9-]+[_a-zA-Z0-9-+\.]*@[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$/i", $_REQUEST["email"])) {
+                       print_error(__("Please provide a valid email address."));
+                       print "<p><form method=\"GET\" action=\"index.php\">
+                               <input type=\"submit\" value=\"".sprintf(__("Return to %s"), TITLE)."\">
+                               </form>";
+                       return;
+               }
+
                if ($test == "four" || $test == "4") {
 
                        $result = db_query($link, "SELECT id FROM ttrss_users WHERE
@@ -365,7 +373,7 @@
 
                                        $rc = $mail->Send();
 
-                                       print_notice(__("Account created successfully."));
+                                       print_notice(__("Account created successfully. Please check your emails to get your password."));
 
                                        print "<p><form method=\"GET\" action=\"index.php\">
                                        <input type=\"submit\" value=\"".sprintf(__("Return to %s"), TITLE)."\">

Re: Email check during registration

Posted: 20 Mar 2013, 18:31
by fox
Pull request?

Re: Email check during registration

Posted: 20 Mar 2013, 18:34
by craywolf
Validating email addresses with regular expressions is complicated. For example, your regular expression won't match [email protected]. It also won't match john.o'[email protected], which is syntactically valid (though I'll admit it's unlikely).

In theory, this will match 99% of email addresses in use (taken from here):

Code: Select all

[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?


But it still doesn't guarantee the address will be valid, because it doesn't check that the TLD is valid. It will accept [email protected] and also [email protected]. Though it will work if you just want to stop at enforcing valid syntax.

Good luck.

Re: Email check during registration

Posted: 20 Mar 2013, 18:39
by fox
I think it would be better to check for host validity or something, don't even bother checking anything to the left of @. No idea how to check for MX records in php, but eh.

Edit: it's not like it's needed anyway, person with an invalid email address won't receive the activation ticket and that would be it.

Re: Email check during registration

Posted: 20 Mar 2013, 19:03
by phz
craywolf wrote:Validating email addresses with regular expressions is complicated. For example, your regular expression won't match [email protected]. It also won't match john.o'[email protected], which is syntactically valid (though I'll admit it's unlikely).

In theory, this will match 99% of email addresses in use (taken from here):

Code: Select all

[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?


But it still doesn't guarantee the address will be valid, because it doesn't check that the TLD is valid. It will accept [email protected] and also [email protected]ospam. Though it will work if you just want to stop at enforcing valid syntax.

Good luck.

Using HTML5, the client side check for valid email syntax can be simplified to:

Code: Select all

<input type="email" required id="email">

Ah, the serenity :-) .

It is more or less impossible to go on a strong hunt after valid domains and servers and usernames, etc. That part more or less solves itself via emails bouncing if the service does not exist.

Re: Email check during registration

Posted: 20 Mar 2013, 19:04
by fox
That. I like that.

Re: Email check during registration

Posted: 20 Mar 2013, 21:03
by punipuni

Re: Email check during registration

Posted: 20 Mar 2013, 21:06
by fox
This really is an overkill. Also, I don't think tt-rss will ever run on a browser not supporting the input type email.

Re: Email check during registration

Posted: 21 Mar 2013, 13:55
by anthony
Right, the email input is really better!

What about this small change? I think it makes it clearer what the user has to do to proceed.

Code: Select all

@@ -365,7 +373,7 @@
 
                                        $rc = $mail->Send();
 
-                                       print_notice(__("Account created successfully."));
+                                       print_notice(__("Account created successfully. Please check your emails to get your password."));
 
                                        print "<p><form method=\"GET\" action=\"index.php\">
                                        <input type=\"submit\" value=\"".sprintf(__("Return to %s"), TITLE)."\">

Re: Email check during registration

Posted: 21 Mar 2013, 14:06
by fox
Isn't that obvious? :evil:

Re: Email check during registration

Posted: 21 Mar 2013, 18:11
by shabble
fox wrote:No idea how to check for MX records in php, but eh.

Should you ever need it in future: http://php.net/manual/en/function.checkdnsrr.php

From the code on my site (don't bother with the URL in the comments - it doesn't appear to be live any more):

Code: Select all

class email_address_handler{
   function localhost(){
      if ($_SERVER['SERVER_ADDR'] == '127.0.0.1' and $_SERVER['REMOTE_ADDR'] == '127.0.0.1'){
         return true;
      }else{
         return false;
      }
   }
   function valid_host($email_address){
      if (!$this->localhost()){
         //http://www.sitepoint.com/article/users-email-address-php
         // take a given email address and split it into the  username and domain.
         list($userName, $mailDomain) = split("@", $email_address);
         if (!checkdnsrr($mailDomain, "MX")) {
         // this is an invalid email domain
            return false;
         }
      }
      return true;
   }
[rest is site specific functionality not relevant to this]
}

Re: Email check during registration

Posted: 22 Mar 2013, 12:18
by anthony
fox wrote:Isn't that obvious? :evil:


OK I'll add it on my side :)