在FILTER_VALIDATE_EMAIL中有一个更好的正则表达式，但任何正则表达式都可能给出糟糕的结果。

例如. .

// "not an email" is invalid so its false.
php > var_export(filter_var("not an email", FILTER_VALIDATE_EMAIL));
false
// "foo@a.com" looks like an email, so it passes even though its not real.
php > var_export(filter_var("foo@a.com", FILTER_VALIDATE_EMAIL));
'foo@a.com'
// "foo@gmail.com" passes, gmail is a valid email server,
//  but gmail require more than 3 letters for the address.
var_export(filter_var("foo@gmail.com", FILTER_VALIDATE_EMAIL));
'foo@gmail.com'

你可能会考虑使用像Real Email这样的API，它可以进行深入的邮箱检查，以检查电子邮件是否真实。

有点像…

$email = "foo@bar.com";
$api_key = ???;

$request_context = stream_context_create(array(
    'http' => array(
        'header'  => "Authorization: Bearer " . $api_key
    )
));

$result_json = file_get_contents("https://isitarealemail.com/api/email/validate?email=" . $email, false, $request_context);

if (json_decode($result_json, true)['status'] == "valid") {
    echo("email is valid");
} else if (json_decode($result_json, true)['status'] == "invalid") {
    echo("email is invalid");
} else {
  echo("email was unknown");
}

在关于电子邮件验证的“顶级问题”中回答了这个问题https://stackoverflow.com/a/41129750/1848217

For me the right way for checking emails is: Check that symbol @ exists, and before and after it there are some non-@ symbols: /^[^@]+@[^@]+$/ Try to send an email to this address with some "activation code". When the user "activated" his email address, we will see that all is right. Of course, you can show some warning or tooltip in front-end when user typed "strange" email to help him to avoid common mistakes, like no dot in domain part or spaces in name without quoting and so on. But you must accept the address "hello@world" if user really want it. Also, you must remember that email address standard was and can evolute, so you can't just type some "standard-valid" regexp once and for all times. And you must remember that some concrete internet servers can fail some details of common standard and in fact work with own "modified standard".

所以，只要检查@，提示用户在前端和发送验证电子邮件在给定的地址。

我准备了一个检查电子邮件有效性的函数:

function isValidEmail($email)
{
    $re = '/([\w\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([\w-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)/m';
    preg_match_all($re, $email, $matches, PREG_SET_ORDER, 0);
    if(count($matches) > 0) return $matches[0][0] === $email;
    return false;
}

FILTER_VALIDATE_EMAIL的问题是，它甚至认为无效的电子邮件是有效的。

以下是例子:

if(isValidEmail("foo@gmail.com")) echo "valid";
if(!isValidEmail("fo^o@gmail.com")) echo "invalid";

/(?![[:alnum:]]|@|-|_|\.)./

现在，如果你使用带有type=email的HTML5表单，那么你已经有80%的安全性了，因为浏览器引擎有它们自己的验证器。为了补充它，将这个正则表达式添加到你的preg_match_all()并对其求反:

if (!preg_match_all("/(?![[:alnum:]]|@|-|_|\.)./",$email)) { .. }

找到HTML5表单使用的正则表达式进行验证 https://regex101.com/r/mPEKmy/1

根据我的经验，regex解决方案有太多的假阳性，而filter_var()解决方案有假阴性(特别是对于所有新的tld)。

相反，最好是确保地址具有电子邮件地址的所有必需部分(用户、“@”符号和域)，然后验证域本身是否存在。

无法确定(服务器端)外部域是否存在电子邮件用户。

这是我在Utility类中创建的一个方法:

public static function validateEmail(string $email): bool {

    // SET INITIAL RETURN VARIABLE
    // ENSURE -> EMAIL ISN'T EMPTY | AN @ SYMBOL IS PRESENT 

        $emailIsValid = FALSE;

        if (
            !empty($email) &&
            strpos($email, '@') !== FALSE
        ) {

            // GET EMAIL PARTS

                $email  = explode('@', $email);
                $user   = $email[0];
                $domain = $email[1];

            // VALIDATE EMAIL ADDRESS

                if (
                    count($email) === 2 &&
                    !empty($user) &&
                    !empty($domain) &&
                    checkdnsrr($domain)
                ) {
                    $emailIsValid = TRUE;
                }
        }

    // RETURN RESULT

        return $emailIsValid;
}

这不仅可以验证你的邮件，还可以过滤掉意想不到的字符:

$email  = $_POST['email'];
$emailB = filter_var($email, FILTER_SANITIZE_EMAIL);

if (filter_var($emailB, FILTER_VALIDATE_EMAIL) === false ||
    $emailB != $email
) {
    echo "This email adress isn't valid!";
    exit(0);
}