---
title: Sanitize Email Input
impact: MEDIUM
impactDescription: prevents injection attacks via email fields
tags: security, e-mail, validation, sanitization
---

## Sanitize Email Input

When handling email addresses, validate the format and sanitize the input before using it in mailers or database queries.

**Incorrect (missing validation):**

```ruby
def send_email
  @user_email = params[:email]
  UserMailer.welcome(@user_email).deliver_now
end
```

**Correct (regex validation):**

```ruby
class User < ApplicationRecord
  VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
  validates :email, presence: true, format: { with: VALID_EMAIL_REGEX }
end
```

**Tools:** Rails Validations, Mail gem
---