It will validate and ensure only valid characters are used for an e-mail address. You can then use PDO (prepared statements) or mysql_real_escape_string to ensure a sql injection isn’t still possible.
This is all the code I have complete for email insertion. I have the mysql_real_escape_string on the email post. Is there anything else I need to add to make it safe.
Is pregmatch outdated, are there any special characters I should reject?
$emailaddress = mysql_real_escape_string(trim($_POST['emailaddress']));
if((!isset($emailaddress) || empty($emailaddress)) && !$error) {
$error = "You need to enter an email.";
}
$query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1");
if(mysql_num_rows($query) > 0 && !$error) {
$error = "Sorry, that email is already in use!";
}
$emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
if (!$emailAddress)
{
$error = 'Please enter your email address in a valid format. Example: bobsmith@companyname.com';
}
No, that is the purpose of mysql_real_escape_string to handle those situations.
No, preg_match isn’t outdated, PHP is just adding helper functions for the most common scenarios in the recent versions of PHP. The filter_var for email validation handles all special characters for you.
You should really move the last validation you have for e-mail address above your check to see if the e-mail is already in use, so you are not querying on an email address that isn’t in a valid format.