Phalcon_Filter, sanitizing email: apostrophes?

[draakon]

Email filter doesn't seem to fully sanitize the data. Apostrophes (') are not removed nor escaped.
For example in the sample application in the tutorial if you POST email containing apostrophes exception is thrown:

PhalconException: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''a'', null)' at line 1" when executing "INSERT INTO user (name, email, id) VALUES ('randomName', 'a'', null)"

Is this intended behaviour?

Phalcon 0.4.4 - Windows x64 for PHP 5.3 (VC9)
Apache Version: 2.2.22
PHP Version: 5.3.13
MySQL Version: 5.5.24

[phalcon]

Hi, this seems to be an unexpected behavior, thanks for reporting this,

The filter component actually uses the Filter extension (http://www.php.net/manual/en/book.filter.php) to validate emails.

[draakon]

Hi, hmm... according to the PHP documentation it is correct behaviour:

FILTER_SANITIZE_EMAIL "email" Remove all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[].

It seems that the local part of e-mail (before the @ sign) is allowed to contain apostrophes: https://en.wikipedia.org/wiki/Email_address#Local_part . Didn't know that.

I think the issue can be closed then. Although it may be good to have note about it in the documentation - otherwise based on the sample code, some may think that it is fine to enter filtered e-mail to the database without escaping it first.

[phalcon]

Yep, i think Phalcon should remove the apostrophes (') even if the filter extension thinks that isn't a correct behavior. I do not think many people have an email with that character :)