difference between a javascript and regular expression and filter_var for email validation

Question

i have been thnking about some validation of email using javascript in one hand and filter_var
with neccessary parameters and regular expression using preg_match .now as input sanitaisation has gone in a long run with so many things to keep in mind, wht to use when validating email.

for preg_match if(!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))

by javascript

function validateForm()
{
var x=document.forms["myForm"]["email"].value;
var atpos=x.indexOf("@");
var dotpos=x.lastIndexOf(".");
if (atpos<1 || dotpos<atpos+2 || dotpos+2>=x.length)
{
alert("Not a valid e-mail address");
return false;
}
}

by filter_var

<?php
if(!filter_var("someone@example....com", FILTER_VALIDATE_EMAIL))
{
echo("E-mail is not valid");
}
else
{
echo("E-mail is valid");
}
?>

Answer 1

Yes, those three variants are very different.

• preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)
  

  This regex is very restrictive - actually, it's too restrictive. It does only allow word characters and minuses around the @-sign and dot. For example, it does not even allow subdomains (which are quite common).

• var atpos = email.indexOf("@");
  var dotpos = email.lastIndexOf(".");
  return !(atpos<1 || dotpos<atpos+2 || dotpos+2>=x.length)
  

  This looks quite well. It checks for the existence of an @ and a . in the correct order, which is enough to identify email-like looking strings. It could be replaced by the regular expression /.+@.+\..+/.test(email) (which would not allow linebreaks, but that's fine).

• filter_var($email, FILTER_VALIDATE_EMAIL)
  

  This is probably the best way to do it in PHP, but notice that is has some flaws as well.

I would also recommend the article Stop Validating Email Addresses With Complicated Regular Expressions :-)