well how correct the regExp, so both email addresses pass

[lse123]

Code:

re = /^[a-zA-Z0-9]+([-_\.]?[a-zA-Z0-9])+@[a-zA-Z0-9]+([-_\.]?[a-zA-Z0-9])+\.[a-zA-Z\.]{2,4}/      
if(!re.test(form.email.value)) { 
	alert("Error: Username must contain only letters, numbers, dash, dot,<br /> underscores(first part) and the 'at' sign!");   
	form.email.focus(); 
	return false; 
}

emails like w@l-yy-design.com do not pass needed to pass the :
ww@l-yy-design.com

well how correct the regExp, so both email addresses pass?

[traq]

there are other problems, too - for example, your regex will reject addresses with + or * in the username - which are valid, and not uncommon in "the real world" (I regularly use emails with both of those characters).

Code:

/^(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){255,})(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){65,}@)(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22))(?:\.(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\]))$/iD

is the regex used by PHP. It validates almost anything that is valid. however, it also validates anything that might be an email address (for example, me@you.notarealTLD). Of course, any regex that accepts all valid email addresses will have this problem - and a regex will never be able to tell you if the user or domain is legitimate.

(Also, IIUC, it doesn't work as a javascript regex. Read more; also follow the "Notes" on that page.)

options:
1. use PHP's filter_var() function. Not perfect, and it's regex-based so it has all of the same limitations - but it is almost always suitable for your task-at-hand, is implemented well, and runs faster. You won't really be able to do any better on your own.

2. SKIP the email validation. If this is for user registration, you're sending them an activation email anyway, right? If the email doesn't go through, then it wasn't a valid email address. (Note: this is the *only* way to really verify an email address - send something to it!)

2a. At the very least, don't flat-out *reject* email addresses that don't pass your regex: if your regex thinks it's wrong, ask the user to verify (see below). But accept it if they say it's correct.

3. If you want to guard against typos, have users fill out their email address twice, and make sure they're identical. After all, if Joe types jo@eexample.com, the regex won't tell you about the mistake. But if he types joe@example.com in the second field, you can ask him to verify which is correct.

[djr33]

If you must do it that way, another option is to be stricter with the regex then tell the user "Your email address was in an unexpected format. Please verify that it is correct and continue." But you can allow them to have an unusual email. This is a good way to protect against typos, but not against someone intentionally supplying a fake email (as long as it looks real).

Personally I am annoyed by websites that require my email address for no reason, and I will often put in noone@ThatWebsite.com as my email. Of course it depends on the context and I'll happily provide my email if there's a point to it, but be aware that you're basically wasting the user's time with this stuff if you don't actually need their email. And if you do need the email, it will be verified when they use it, like traq said.


Personally, I prefer two options of verifying emails (but it goes along with my philosophy/strategy above):
1. Use filter_var() as traq suggested. This is a strong way to do it and generally precise if not completely perfect.
2. Verify that it looks like an email address, using my own functions. Check that there's a "@" symbol, and a "." after it. Make sure there are characters between the symbols. And that's about it. It proves nothing, except that it's not random text, but that's about as good as you can expect without actually sending an email to it.