email validation form submitting despite errors

Question

I have some if statements validating email addresses submitted to my form below. However the form submits even though not all the if conditions below are met. The one it seems to respect is the filter_var condition. Why would it do this? the validation that is failing is the last if statement saying the email is unreachable. on the form it says the email address is unreachable. but it submits the form by email anyways. $scrubbed is a function I use in my form to clean the form fields from possible spam

    if (isset($scrubbed["email"])) {


    if (strlen($scrubbed["email"]) > 254) {
        echo "<p>The email address is too long: it must be 254 or less.</p>";
    }

    // Validate syntax with PHP.
    if ((($email = filter_var($scrubbed["email"], FILTER_VALIDATE_EMAIL)) === false)) {
        echo "<p>The email address has an invalid syntax.</p>";
    }

    // Validate DNS reachability.
    $host = substr($email, strrpos($email, "@") + 1) . ".";

    if (!checkdnsrr($host, "A") && !checkdnsrr($host, "AAAA") && !checkdnsrr($host, "MX")) {
        echo "<p>The email address is unreachable.</p>";
    }

}

Answer 1

It would be nice if you accept the answers to your questions.

$scrubbed["email"] is simply empty and therefor the email is always invalid.

Let's create a simple form that will be submitted to us.

<!doctype html>
<html>
<head>
    <title>Form</title>
</head>
<body>
<?php

/**
 * Validate submitted email address.
 *
 * @return null|string
 *   Returns <code>NULL</code> if the email address is valid, if the
 *   email address is invalid a string explaining the problem is returned.
 */
function validate_email() {
    $email = filter_input(INPUT_POST, "email", FILTER_VALIDATE_EMAIL);

    if ($email === false) {
        return "The email address has an invalid syntax.";
    }

    if (strlen($email) > 254) {
        return "The email address is too long: it must be 254 or less.";
    }

    $host = substr($email, strrpos($email, "@") + 1) . ".";
    if (!checkdnsrr($host, "A") && !checkdnsrr($host, "AAAA") && !checkdnsrr($host, "MX")) {
        return "The email address is unreachable.";
    }
}

// Check if we were called via POST.
if ($_SERVER["REQUEST_METHOD"] == "POST") {

    // Validate the email address and display the error message (if any).
    if (($error = validate_email())) {
        echo "<p>{$error}</p>";
    }
    // Otherwise let the user know that everything is okay.
    else {
        echo "<p>The email address is valid, not too long, and reachable.</p>";
    }

}

?>
    <form action="/" method="post" accept-charset="utf-8">
        <input type="email" name="email">
        <input type="submit">
    </form>
</body>
</html>

Please note that this is only some code for illustration purposes and has nothing to do with proper software design, re-usability, … well anything that is part of good software.