Email validator bug

The problem

There is a bug in Symfony’s email validator which means that unless you use both modes (strict and non-strict) invalid email addresses are possible.

Time of writing we are at version 1.0.13 – this could well be (and probably will be) fixed in 1.1 but please let me know if you spot that this has been fixed beforehand.

Strict mode validation

This mode is intended to catch email addresses such as root@localhost, but unfortunately it does not check for valid email strings, so %, would be accepted, as well as many other illegal character combinations.

Non-strict mode

This mode checks that the email address contains legal characters, but does not check for internal addresses. This is fine for most cases, but it is worth restricting users from using your site to spam your local mail server.

Solution 1

Sapheriel suggests on his blog that one solution is to override the functionality of the class, and then restore it once an update has been released.

“The best way to achieve this with the least amount of intrusion is to copy sfEmailValidator.class.php into your project’s library folder, modify it, and delete it once a fix has been published”

This may suit many users

Solution 2

If you do not want to worry about something you may have to do in the future, you can also run the validator twice, for example in your validator.yml file:

  class: sfEmailValidator
    class: sfGuardUser
    column: email
    strict: true
    email_error: This email address is invalid
      msg: Please enter an email address
      email_error: This email address is invalid
      strict: false
      class: sfGuardUser
      column: email
      unique_error: This email is already in use

You could also write a custom validator which calls the email validator twice, however we have opted for this solution for now.

Thanks to June for the content.