A developer should never trust users' data and must test every form field before saving them in the database. Fortunately, Ruby on Rails provides several mechanisms that allow you to perform these validations efficiently.
In most cases, the fields of a form are injected into an ActiveRecord model, which performs the validation. The ActiveRecord::Validations API allows to easily define rules to validate various aspects of these fields: format, inclusion, length, uniqueness, and many others.
Let's take as an example a contact form allowing your visitors to send a message to your staff. Such a form would contain Last and First Name, Email Address, and Message fields. Let's write a model and its validation mechanism to check the presence and length of each field and the email address format. Here is the code:
ActiveRecord calls all validation methods defined in the model during the saving process. If they are successful, then the model is saved in the database. But if there is at least one error, the model won't be saved in the database. You can then check the content of its errors field to obtain details about the validation errors.
Here are the details of the methods used in the code above:
While the first two validation methods are easy to understand, the third requires a little more attention.
The first step of email validation consists of checking the format of the email address. To do this, it is sufficient to use the validates_format_of method mentioned earlier in this document along with an efficient regular expression.
The standard Ruby library provides the URI::MailTo class, which declares the regular expression EMAIL_REGEXP. This is suitable in most cases.
Here is how to use it in our model:
Now that this is done, it is important to understand that validating the format of an email address is not enough. Indeed, the address email@example.com, although having a valid format, would certainly not exist. This is why it is necessary to verify not only the format of an email address but also its existence.
The method for checking the existence of an email address is to extract the server FQDN (the part after the @ sign); to query the corresponding DNS servers to confirm that the server exists; to query the MX records from the DNS entries. A well-made verification method will also match the server name against a list of known disposable email services to determine if the visitor is using a disposable email address.
Setting up such a complex verification method is beyond this document's scope. But fortunately, there is a solution, easy to implement, which we will discuss in the next chapter.
Abstract API provides several free services accessible via simple HTTP calls, one of them being email validation. This service verifies email format and queries the DNS records and email servers to verify that the address actually exists. It also checks if the mailbox is a disposable email service.
You will have to create a free account to get your private API key, and then you can implement email validation in your model like this: