Why does PHP filter_var say that this is a valid email address?

Question

I use the filter_var PHP function to validate email address when a user signs up to my site.

I use this code from the post:

$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);

then later I do:

if(!$email) {
  // return to the form 
}
else {
  // send registration info
}

now when I var_dump($email), I get the output:

string(23) "user."name"@example.com"

I would like to know why this does not return false. I think the double quotes are not acceptable, so why does PHP say it’s valid?

Answer 1

It is a valid email address :

A quoted string may exist as a dot separated entity within the local-part or it may exist when the outermost quotes are the outermost chars of the local-part (e.g. abc."defghi"[email protected] or "abcdefghixyz"@example.com are allowed. abc"defghi"[email protected] is not; neither is abc\"def\"[email protected]).

Answer 2

I had the same problem (see Dalmas on why it's valid) and here's how I fixed it:

filter_var($email, FILTER_SANITIZE_EMAIL);

eg:

$email = 'user."name"@example.com';
$email = filter_var($email, FILTER_SANITIZE_EMAIL);

will output:

string(21) "[email protected]"

Then you can validate the email using your validation.

you can get more information on the php site