Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP Build a Basic PHP Website (2018) Adding a Basic Form Using Object and Validating Email

Jake Ford
Jake Ford
9,230 Points

PHPMailer only works if my form input type="text"?

I have my form input for the email as type="email", and the browser automatically knows when it is not a valid email address. When I tried to type an invalid email, I did something like: invalid@invalid, and the data sent successfully even though that is not a valid email address. I then switched my html form input to type="text", and PHPMailer worked. I guess to use PHPMailer I need to be sending form input as type text?

I guess using the default browser validation with the HTML5 "email" input type wouldn't work against spam bots because they don't use browsers? How effective is the browser validation?

UPDATE: Even with using PHPMailer and input type set to "text", typing in invalid@invalid gets through and lets the data submit. Invalid@invalid obviously doesn't have an extension(.com, .net, etc.), does PHPMailer not pick up on this?

Simon Coates
Simon Coates
28,694 Points

i think everything sends as text or i could be misrembering (you should be able to examine the post request using your developer tools and see the underlying transmission). But an email is certainly text as far as PHP is concerned (no separate data type). Browser validation is for users, and they can bypass it using dev tools.

2 Answers

Simon Coates
Simon Coates
28,694 Points

PHPMailer has a few different methods of validating the address depending on the environment. At least one of the validation method uses filter_var with email validation (filter_var($address, FILTER_VALIDATE_EMAIL);), which is definitely able to flag invalid@invalid as being a problem. The other methods of validation are all enormously complex regular expressions (excluding environments where regex is disabled). I couldn't tell you what they do. If you're not happy with PHP mailers validation you can manually handle the email. FYI, one of the regex has a comment that makes reference to supporting dotless domains.

Jake Ford
Jake Ford
9,230 Points

So if invalid@invalid is getting through, does that mean I have set up PHPMailer wrong? I've done exactly what was done in the video. Or do I just need to create another conditional like the one we did here:

if(!$mail->ValidateAddress($email)){
  echo 'Invalid Email Address';
  exit;
}
Simon Coates
Simon Coates
28,694 Points

I'm not sure, but the variables that determine which validation occurs may be a function of the server (not setup of PHPmailer). The conditional testing seems to be on levels of regex support. You can look in the PHP mailer class for the method in question (validateAddress) and copy the regex out and test them to see how they behave (i did this with an online php sandbox). If you don't like PHP mailers validation, you can add your own conditional with equivalent error behaviour (using filter_var or filter_input). However, something called 'dotless domain' might imply that the author of the regex thought "invalid@invalid" was a valid email. (i don' know anything about email address formats.)

Simon Coates
Simon Coates
28,694 Points

Take a look at wikipedia's example list of valid email. The ones with just one word after the @ may be special cases. It's a question of whether any of the special cases might be valid inputs to PHPmailer.

Jake Ford
Jake Ford
9,230 Points

Thanks, Simon! You've been super helpful. I just read that Wikipedia article and it makes more sense to me now. I didn't realize that invalid@invalid could be a local domain name as it states here:

admin@mailserver1 (local domain name with no TLD)