Don't use regular expressions to "validate" email addresses
bignose+hates-spam at benfinney.id.au
Fri Sep 22 04:17:15 CEST 2006
[Please don't top-post above the text you're replying to.]
"bruce" <bedouglas at earthlink.net> writes:
> if you were creating a web app with an email form... rather than try
> to check if the email is valid...
Where did I advise not checking? I advised the only kind of check that
> you'd create something to allow anyone to potentially spam the hell
> out of a system...
If the system allows anyone to register email addresses rapidly and
continually send emails, *that's* what needs to be fixed.
> my two cents worth... try to verify/validate that the email is
> valid, and possibly belongs to the user...
I hope you're not seriously suggesting that any kind of "validation"
of the text of an email address, without any attempt to use that email
address, can give any information about whether that email address
"belongs" to the user of a web application.
There are basic checks that can be done to say "no, this is not an
email address"; for instance, if there's no '@' symbol at all, it
doesn't meet RFC 2821's definition of an email address.
But if one reads that specification, it's astoundingly liberal on what
*is* permitted in an email address; any attempt to throw out strings
of characters as "not an email address" is either doomed to discard
many perfectly valid email addresses, or to be hideously complex and
prone to failure.
My understanding of the "validation" that was being discussed was that
it was not "does this email address belong to a particular person?",
but rather "if I attempt to use this string of characters as an email
address, can I expect messages to be delivered?"
The former is flatly impossible by an examination of the email
address. The latter is seductive, but also practically impossible
short of actually sending a message.
\ "About four years ago, I was -- no, it was yesterday." -- |
`\ Steven Wright |
More information about the Python-list