Closed Bug 567823 Opened 10 years ago Closed 10 years ago

Add email checking to Get Involved form


( :: General, defect)

Not set


(Not tracked)



(Reporter: davidwboswell, Assigned: paulosman)





(1 file)

The form on the Get Involved page currently doesn't do any checking for valid email addresses so we get a fair amount of spam like the following:

E-mail: ILwwxzNMPZYdIv
Area of Interest: 
Comment: TSCrBJ  <a href="">cwsrkgjnnbjr</a>, [url=]najudkmnapzm[/url], [link=]faiwpdxryshk[/link],

The form should check to make sure that the email field contains a correctly formatted email address before accepting a submission.  Submissions with invalid emails should receive some sort of prompt to check that field.
Assignee: nobody → paul
Here's a possible fix. 

I intentionally used a rather permissive regular expression. Rules for valid email address formats are pretty inconsistent and difficult to completely encapsulate, so this code just verifies that the local portion contains one or more characters that are not '@' and that the domain portion contains alphanumeric characters, underscores or hyphens and ends with an alphabetic tld.

I also didn't bother doing MX record checking on the domain as that seemed overkill for this case. If a spambot is intelligent enough to submit a reasonable looking email address in a text input labeled 'email', there's nothing stopping them from using an actual valid email address... would pass that test for instance.

Open to thoughts and feedback of course.
Yeah, no need for overkill on this.

One question about what happens if the email isn't valid.  Does the email form field add the text 'Must use a valid e-mail address' or is that text included somewhere else (maybe under Submit button)?  If in the email field, that text seems to be bigger than the form field.  Maybe use a slightly shorter note: 'Please use valid e-mail'?
There was existing functionality for this, so I didn't change it. Currently, the script checks for the string '' which the is the default value of the e-mail text input. If that string is posted, the script just prints "Must use a valid e-mail address" and exits. I didn't touch this functionality, just tacked on the format validation. To see what happens:

1) Visit
2) Click on 'Submit' leaving all fields with their default values (email should be ''). 
3) See error message.
I had forgotten about that.  That seems like another bug though, so I'll open a bug for that and we can move forward with this one.  Would you mind asking Reed to review your patch?
That was my thinking. It'd be nice to have user-friendly error reporting, but that's another bug. I'd be happy to work on that too if you want to assign it to me. 

Sure thing, I'll ping Reed asking for a review.
Attachment #447799 - Flags: review?(reed)
There's been a spike in spam coming through this form in the last few days.  Can we check this in now and back it out if it causes problems?
Comment on attachment 447799 [details] [diff] [review]
Verify that the submitted email address looks like an email address

>+function validate_email($email) {
>+  if (preg_match('/^[^@]+@[a-zA-Z0-9._-]+\.[a-zA-Z]+$/', $email)) {
>+    return true; 
>+  } else {
>+    return false;
>+  }

Make this |return preg_match(...);|

With that, r=reed.
Attachment #447799 - Flags: review?(reed) → review+
Cool. Change made.

Committed in r68785.
Closed: 10 years ago
Resolution: --- → FIXED
Component: → General
Product: Websites →
You need to log in before you can comment on or make changes to this bug.