HACKER Q&A
📣 m33k44

Why is the email regex even required at the back end?


Wouldn't it suffice to just take the "email id" supplied by the user and send an email verification link? If it is a valid email id, then the user will receive the email verification link. And if the user verifies the email, then the backend will know it is a valid email. Otherwise the user does not get access to rest of the web app except for the option to change the email.

That will avoid having to parse the email id at the backend.

  👤 new_guy Accepted Answer ✓
You still need to sanitise the input (assume it's malicious) and make sure it doesn't already exist in your system, and check it's a valid email before you attempt to send the confirmation etc.
👤 moasda
Example user input: "mail@domain1.com, mail@domain2.com"

If you don't check the user input and blindly send an email verification link, this could lead to two emails sent out.

Depending on the email library you could possibly even add some email headers and misuse your email server to send spam.

👤 m33k44
Looks like I will have to settle with the regex used by W3C for validating email input type.