Email address validation: an addendum
When I was writing my last article, I wasn’t expecting too much of a response. Perhaps a comment or two from the 30-50 visits I get for most of my posts would be nice. The post actually circulated a bit more than usual, and I got quite a bit of interesting feedback. Hopefully these afterthoughts will get to at least some of those who read the original article (whether it’s the usual 50, or the 50,000).
One crucial thing that came up was the reasoning behind rejecting an email address that the user enters into the form. It boils down to wanting or needing to be able to contact the user at a later time. A very common case is account recovery. If a user loses their password, and you don’t have any way of contacting them, they’re probably stuffed. If you can tell them as quickly as possible that what they’ve entered doesn’t look right, then you’re going to save a lot of bother.
A few people commented that they often get less technically savvy users entering all kinds of incorrect things, ranging from just the local part (or conversely just the domain) of their email address to their desired user name on the service they’re trying to register with. Given that this sort of thing goes on, validating that an email address is composed of an @
symbol with some characters on either side is sensible (of course, you should still send a validation email if you want to make sure you’re being given correct data).
As for using such validation to prevent fake account creation, it’s trivially bypassed. If I’m working for nasty-corporation.com and want to sign up a bunch of accounts on your site to post loads of spam, I’m probably going to be able to generate email addresses, or better still create valid addresses on my domain to register an account. As annoying as they can be, some form of Captcha is better for this (preferably one with an audio alternative to the picture, for accessibility reasons), and doesn’t rely on spammers being totally incompetent.
Just one more thing, I know the comment system built into WordPress does a poor job of all this. More than a few of you were good enough to point it out. I’m switching away from the default one soon anyway.