{"id":10145,"date":"2018-09-26T09:56:32","date_gmt":"2018-09-26T08:56:32","guid":{"rendered":"https:\/\/www.verificaremails.com\/how-to-validate-an-email-in-php-in-a-secure-way\/"},"modified":"2025-02-03T21:13:10","modified_gmt":"2025-02-03T20:13:10","slug":"how-to-validate-an-email-in-php-in-a-secure-way","status":"publish","type":"post","link":"https:\/\/www.verificaremails.com\/en\/how-to-validate-an-email-in-php-in-a-secure-way\/","title":{"rendered":"How to validate an email in php in a secure way"},"content":{"rendered":"

In this article we will see how to validate an email in PHP in a secure way, preventing them from obtaining the token of our email verification service.
\nIn the examples we will use the email validation service verificaremails.com<\/a> but the same system works for any email validation service.
\nCurrently there are a multitude of services that allow you to validate emails.
\nScript-based solutions, although they are a first step, only allow you to validate email through syntax rules or by performing more or less sophisticated domain and MX record checks.
\nIf you need to validate an email reliably, you will have to use a professional email validation service. In addition to the above checks, professional services perform an in-depth simulation of the connection or check the email in their spam trap lists to reliably verify the email.<\/p>\n

How email validation works in php<\/h2>\n

Almost all the services work the same way, through an API we can validate in real time the email, for this a Curl call is usually made, where the service is invoked and the email is transmitted together with the token of the service.
\nYou can find detailed documentation in ”
\nDocumentation verify email<\/a>“.<\/p>\n

In the case of the verificaremails.com service the PHP call is:<\/em><\/h5>\n
$email = “test@example.com”;<\/em><\/h5>\n
$key = “your_api_key”;<\/em><\/h5>\n
$url = “https:\/\/app.verificaremails.com\/api\/verifyEmail?secret=”.$key.”&email=”.$email;<\/em><\/h5>\n
$ch = curl_init();<\/em><\/h5>\n
curl_setopt($ch, CURLOPT_URL, $url);<\/em><\/h5>\n
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<\/em><\/h5>\n
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<\/em><\/h5>\n
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true );<\/em><\/h5>\n
$response = curl_exec($ch);<\/em><\/h5>\n
echo $response;<\/em><\/h5>\n
curl_close($ch);<\/em><\/h5>\n

As you can see the call is very simple.
\nIf the validation is performed in our BackOffice services, the “key” or token to perform the validation will remain secret throughout the process.
\nWe can modify our script so that when clicking “send” in our registration form the validation of the email is performed.
\nThis mechanism is effective and secure, the only drawback is that the validation is done once the user has completed the form.
\nValidating emals via API in real time usually takes on average about 2 seconds, although it is a quick verification, it is not immediate.
\nAn improvement of this method would be to validate the email while the user is completing the rest of the form fields.
\nIf we detect that the address is invalid we can indicate it in the form without the need to send it.
\nImproving the usability of the service and increasing the conversion of records.
\nFrom a technical point of view we only need to add a few lines of JavaScript to our PHP code.<\/p>\n

Risks of validating an email in PHP with Java Script<\/h2>\n

Although the previous call is very simple to implement, it involves a risk.
\nI want to remember that to validate the email we make a Curl call, where we pass to the email validation service the email to verify and the token of the service.
\nIf a user captures that token, he could validate emails.<\/p>\n

How to securely validate an email with PHP and JavaScript<\/h2>\n

At verificaremails.com we have developed a library to avoid this risk.
\nAlthough the code examples we will explain are explicitly for Verificaremails, they can also work with any other service.
\nThe library uses 4 files:<\/p>\n

Index.html<\/h5>\n
Verifyemails.php<\/h5>\n
Verifyemails_encrypt.php<\/h5>\n
Verifyemails-core.js<\/h5>\n

What we do is to use an encrypted key in the files where we want to perform the validation in real time via Ajax.
\nEven if you get this key, it will be of little use because at the time of verification a check of the domain that makes the call is performed.
\nTo generate the encrypted key we execute “verificaremails_encrypt.php” in the fields:<\/p>\n

define(‘TOKEN_KEY’, ‘a3_?Kd’);<\/h5>\n
define(‘TOKEN_IV’, ‘v7$!kh’);<\/h5>\n

we will indicate the keys to encrypt the token of the service to validate email.
\nIn the index.html file, is the file that contains our form, apart from using it to capture the data, a call is made to verificaremails-core.js.
\nIn this file is where we place the encrypted token and indicate where are the files that perform the validation, verificaremails.php The file verificaremails.php defines 4 important parameters:<\/p>\n

define(‘VALID_REFERER’, ‘localhost’);<\/h5>\n
Indicates from which location we are authorized to perform validations.<\/h5>\n
define(‘VALIDATE_URL’, ‘https:\/\/app.verificaremails.com\/’);<\/h5>\n
Shows where the application is to validate email<\/h5>\n
define(‘TOKEN_KEY’, ‘a2_?Kd’);<\/h5>\n
define(‘TOKEN_IV’, ‘v6$!kh’);<\/h5>\n

These are the values we use to encrypt the key of the verification service.
\nThis encrypted key is the one we will use in the file “verificaremails-core.js”.
\nThe value of these fields must match those defined in “verificaremails_encrypt.php”.
\nTo determine if the call is correct, at the end of the file verifyingemails.php we have an if where we define with which criteria an address is correct:<\/p>\n

if ($response == ‘ok’ or $response == ‘ok_for_all’ or $response == ‘accept_all’) {<\/h5>\n
echo ‘1’;<\/h5>\n
} else {<\/h5>\n
echo ‘0’;<\/h5>\n

The validation <\/a> value is passed to the file “verificaremails-core.js” which in turn passes it to index.html which contains the form.
\nOnce the user has filled in the email address in the field with id=”email” the Ajax call is made, while the user is filling in the rest of the fields.
\nIn “background” the validation is being done, so that before sending the data we can know if they are valid.
\nIn addition to reducing latencies in the process of verifying email, we also secure the token against theft.
\nI know it may seem complicated, but once you have the files, using them is very simple, even if you want to port them to other languages such as Ruby, Python or Java.
\nIf you are a client of verificaremails and you want to validate emails via JavaScript please contact our support team to request the files to validate emails in PHP in a secure way.
\nIf you prefer we can also do the implementation.<\/p>\n","protected":false},"excerpt":{"rendered":"

In this article we will see how to validate an email in PHP in a secure way, preventing them from obtaining the token of our email verification service. In the examples we will use the email validation service verificaremails.com but the same system works for any email validation service. Currently there are a multitude of … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":975,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[991],"tags":[],"class_list":["post-10145","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-verify-mail-api"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/posts\/10145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/comments?post=10145"}],"version-history":[{"count":0,"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/posts\/10145\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/media\/975"}],"wp:attachment":[{"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/media?parent=10145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/categories?post=10145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.verificaremails.com\/en\/wp-json\/wp\/v2\/tags?post=10145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}