php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77089 An email with an invalid character passes filter_var validation
Submitted: 2018-10-31 15:26 UTC Modified: 2018-10-31 16:14 UTC
From: marco dot bagnaresi at golee dot it Assigned: cmb (profile)
Status: Not a bug Package: filter (PECL)
PHP Version: 7.1.23 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
 [2018-10-31 15:26 UTC] marco dot bagnaresi at golee dot it 
Description:
------------
An email with an invalid character ' is filtered as a valid email.

Test script:
---------------
$email = "hello'@world.it";
$sanitized_email = filter_var($email, FILTER_SANITIZE_EMAIL);
$this->assertEquals($email,$sanitized_email,"The email should not be valid!");

Expected result:
----------------
The email should not pass validation.

Actual result:
--------------
The email is returned from the filter_var function.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-31 15:55 UTC] nospam at relianthost dot co dot uk 
See: https://secure.php.net/manual/en/filter.filters.sanitize.php

> FILTER_SANITIZE_EMAIL
> Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].

This is not a bug, as the filter does as the documentation intended.
 [2018-10-31 16:07 UTC] cmb@php.net
-Package: *Mail Related +Package: filter
 [2018-10-31 16:14 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2018-10-31 16:14 UTC] cmb@php.net 
hello'@world.it is a valid email address according to RFC 5322[1].

[1] <https://tools.ietf.org/html/rfc5322>
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jan 15 13:01:29 2025 UTC