this post was submitted on 09 Feb 2024
93 points (89.1% liked)

Programming

17419 readers
23 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 67 points 9 months ago* (last edited 9 months ago) (22 children)

Any time you're turning a string of input into something else, what you are doing is parsing.

Even if the word "parser" never appears in your code, the act of interpreting a string as structured data is parsing, and the code that does parsing is a parser.

Programmers write parsers quite a lot, and many of the parsers they write are ad-hoc, ill-specified, bug-ridden, and can't tell you why your input didn't parse right.

Writing a parser without realizing you're writing a parser, usually leads to writing a bad parser. Bad parsers do things like accepting malformed input that causes security holes. When bad parsers do reject malformed input, they rarely emit useful error messages about why it's malformed. Bad parsers are often written using regex and duct tape.

Try not to write bad parsers. If you need to parse something, consider writing a grammar and using a parser library. (If you're very ambitious, try a parser combinator library.) But at least try to recall something about parsers you learned once way back in a CS class, before throwing regex at the problem and calling it a day.

(And now the word "parser" no longer makes sense, because of semantic satiation.)

By the way, please don't write regex to try to validate email addresses. Seriously. There are libraries for that; some of them are even good. When people write their own regex to match email addresses, they do things like forget that the hyphen is a valid character in domain names.

[–] [email protected] 29 points 9 months ago* (last edited 9 months ago) (15 children)

By the way, please don’t write regex to try to validate email addresses. Seriously.

Amen.

There are libraries for that; some of them are even good.

Spoiler alert: Few of them are good, and those few are so simple that you might as well not use a library.

The only way to correctly validate an email address is to send a message to it, and verify that it arrived.

[–] [email protected] 8 points 9 months ago* (last edited 9 months ago) (2 children)

The only way to correctly validate an email address is to send a message to it, and verify that it arrived.

If you're accepting email addresses as user input (e.g. from a web form), it might be nice to check that what's to the right of the rightmost @ sign is a domain name with an MX or A record. That way, if a user enters a typo'd address, you have some chance of telling them that instead of handing an email to user#example.net or [email protected] to your MTA.

But the validity of the local-part (left of the rightmost @) is up to the receiving server.

[–] [email protected] 11 points 9 months ago* (last edited 9 months ago) (1 children)

Checking MX in your application means you needlessly fail on transient outages, like when a DNS server is rebooting or a net link hiccups. When it happens, the error flag your app puts on the user's email address is likely to confuse or frustrate them, will definitely waste their time, and may drive them away and/or generate support calls.

Also, MX records are not required. Edit to clarify: So checking MX in your application means you fail 100% of the time on some perfectly valid email domains. Good luck to the users and support staff who have to troubleshoot that, because there's nothing wrong with the email address or domain; the problem is your application doing something it should not.

Better to just hand the verification message off to your mail server, which knows how to handle these things. You can flag the address if your outgoing mail server refuses to accept it.

[–] [email protected] 5 points 9 months ago

If DNS is transiently down, the most common mail domains are still in local resolver cache. And if you're parsing live user requests, that means the IP network itself is not in transient failure at the moment. So it takes a pretty narrow kind of failure to trigger a problem... And the outcome is the app tells the user to recheck their email address, they do, and they retry and it works.

If DNS is having a worse problem, it's probably down for your mail server too, which means an email would at least sit in the outbound mail spool for a bit until DNS comes back. Meanwhile the user is wondering where their confirmation email is, because people expect email delivery in seconds these days.

So yeah ... yay, tradeoffs!

(Confirmation emails are still important for closed-loop opt-in, to make sure the user isn't signing someone else up for your marketing department's spam, though.)

load more comments (12 replies)
load more comments (18 replies)