We just had an impromptu conversation over here about validating phone numbers that morphed into validating email addresses and more.
Adam brought up the fact there are a lot of email addresses that don't pass the basic regex validation that a lot of sites use. In fact, there was a good discussion of this very issue on Slashdot in a larger article on regexes. One comment:
The problem is that email addresses are not suitable for regex based validation.
There are too many legacy formats, too many variations, that are legal addresses.
Why, back in the old days, you could send mail to things like "bob%[email protected]" which would shoot the email off to example.org, who's mail server would then shoot the email off to example.com. A way to hand route your email around a broken network link in the old days. Throw in a few UUCP hops, maybe getting final delivery to a BITNET connected system. Ah, those were the days!
The question that I posed was in our chat was, "What's the desired end result, capturing an email address at a valid domain, or one that reaches the user? Yeah, the latter is a subset of the former but seems like it makes sense to just cut to the chase and email them instead." The same can be asked for a phone number as well. (212) 434-3434 might be a technically valid phone number, just as [email protected] is a technically valid email address, but what value does that have? I think that contact information is only valuable if you can actually reach that user there. Even checking that the domain is valid doesn't mean a lot if [email protected] is actually [email protected]
So, I guess that leaves one-time logins for email (already solved in Drupal and others) to validate that the email address corresponds to the user, but what about phone numbers? I think gmail used text messages to validate phone numbers -- text the number a code, have the user enter the code into a form, there's your validation (I can't find the page about it, but there's plenty of discussion around the web about it).
I'm interested to hear other opinions on form validation, what do some other people think?