|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53395 FILTER_VALIDATE_EMAIL return false on valid emails
Submitted: 2010-11-24 12:58 UTC Modified: 2012-03-05 15:45 UTC
From: edanpr at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.3.3 OS: debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: edanpr at gmail dot com
New email:
PHP Version: OS:


 [2010-11-24 12:58 UTC] edanpr at gmail dot com
In php 5.3.3 using filter_var to validate email (FILTER_VALIDATE_EMAIL) that got more than one period (.) or dash (-) results in error while in 5.3.2 it didn't. will return false on 5.3.3 and true on 5.3.2 will return false on 5.3.3 and true on 5.3.2

Test script:
$adr1 = '';
$adr2 = '';
var_dump(filter_var($adr1, FILTER_VALIDATE_EMAIL));
var_dump(filter_var($adr2, FILTER_VALIDATE_EMAIL));

Expected result:
string(15) ""
string(13) ""

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-25 04:06 UTC]
-Status: Open +Status: Bogus -Package: Unknown/Other Function +Package: Filter related
 [2010-11-25 04:06 UTC]
filter_var() is right in both cases here: domain names can only
include consecutive hyphens when being used for internationalised
domains (which implies that the name is of the form xn--XXX), and the
local part of an e-mail address can't include consecutive dots, per
the grammar in RFC 5322.
 [2010-11-25 04:39 UTC] edanpr at gmail dot com
Ok, 2 dots is wrong, but double dash is still a valid domain which means users can have email there. - real domain - real domain
 [2010-11-25 06:41 UTC]
This comes back to whether we filter according to spec or we filter according to 
real-world cases that go against the spec.  The problem with the latter is that it 
is not a finite problem.  If we go by the spec we can simply follow the spec and 
we are done.  But yes, you are right, there are domains out there that are not 
legal according to the RFCs but have still been issued for whatever reason.  2 
hyphens is definitely not valid in non-IDN domain names.
 [2010-11-25 09:47 UTC] edanpr at gmail dot com
I think it's very easy to answer this question. Filter according to 
real-world cases, otherwise, you are making this function useless.

People expect to use this function to validate email, if this function return false on valid emails, we got a problem and this function becomes useless.

I already had to add a secondary check in my email validation function to support multiple dashes domains.
 [2012-03-05 15:43 UTC] al at hosteurope dot de
According to the DENIC Guidelines a hyphen is allowed on very position except on 
the third and fourth position:


In addition to the TLD ending ".de", a domain may only be comprised of digits 
(0–9), hyphens, the letters A-Z of the Latin alphabet and the other letters 
listed in the Annex. It may neither begin nor end with a hyphen, nor may it have 
a hyphen as both its third and fourth characters. No distinction is made between 
upper and lower case. The minimum length of a domain is one character and its 
maximum length is 63 characters; if the domain includes characters listed in the 
Annex, the decisive criterion for determining the maximum length is the so-
called ACE-encoded form of the domain as defined in Request for Comments 5890.

So please fix this asap, or the filter_vars function is very useless.
 [2012-03-05 15:45 UTC]
This was fixed "ASAP" nearly 2 years ago. Update your PHP.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Feb 22 12:01:29 2024 UTC