Tools

Tools: 3 Critical Pitfalls in Signup Form Validation

2026-03-12 0 views admin
Tools: 3 Critical Pitfalls in Signup Form Validation

The First Pitfall: Trusting Frontend Validation Alone

The Second Pitfall: Validating Emails After Signup

The Third Pitfall: Not Checking for Disposable Emails and Spam Traps

The Right Way: Real-Time Validation at Signup

Why This Actually Matters for Your Business

Getting Started Today I was reviewing the user database at a SaaS company where I'd just started consulting. The product had grown to 8,000 active users, and they were struggling with a mysterious problem: their email marketing campaigns were bouncing at 6.2%, just above the critical 5% threshold where ISPs start treating them like spammers. When I dug deeper, I found something worse than bad emails—I found patterns of deliberate negligence in their validation strategy. One user had signed up with [email protected] but the database contained [email protected] (with a "1" instead of an "l"). Another had registered using [email protected], a famous disposable email service. Still others had used catch-all addresses like [email protected] that would accept any email sent to them, trapping the company's transactional messages in a black hole. When I asked the engineering team why these weren't caught, they gave me variations of the same answer: "we validate with regex on the frontend," or "we validate after signup," or "we don't check for disposable emails." That's when I realized signup form validation is much more complex than most developers think. It's not just about regex patterns or timing—it's about understanding exactly when and how to validate, and what factors to check for. Today, I'll walk you through the three critical pitfalls that are probably costing your product right now. Your frontend validation probably looks something like this. You've got a React component with a form, and you validate emails with a regex pattern before the user can submit: This looks fine to a user. The regex catches obviously broken addresses like notanemail or test@, and the form feels responsive. But here's what happens when you test it with real data: The problem is that regex validation only checks syntax. It never touches reality. It doesn't contact the mail server, doesn't check if the domain exists, doesn't verify that the mailbox will actually accept mail. Your 95% regex-validated emails might include 8-10% that are legitimately problematic. Here's the real cost: let's say you have 10,000 users and 8% have problematic emails. You send them your weekly digest. That's 800 bounces. Do it weekly for 4 weeks, and you've sent 3,200 emails that will bounce. Your sending reputation drops. ISPs watch this behavior. After a few weeks, Gmail starts filtering your entire domain to spam. Now your legitimate users don't receive your emails either, even though those addresses are perfectly valid. I've calculated the cost at one company: they were losing roughly $15,000 per month in undelivered transactional emails (password resets, billing notifications) that users didn't receive because their sender reputation was poisoned by 8% bad data. That's the cost of trusting regex alone. Once you realize frontend validation isn't enough, the natural instinct is to add backend validation. Many teams do this, but they make a timing mistake: they validate after the user has already been created in the database. Here's how this typically looks: The problem with this approach is subtle but costly. You've created the user account before knowing whether the email is legitimate. This means: Your database is polluted with bad emails. You now have 10,000 users but maybe 800 of them have invalid emails. Cleaning this up later is expensive. Verification emails don't reach the user. They sign up, click the verification link... except they never receive the email because it's a disposable address or spamtrap. They think your system is broken. You've already paid for storage and computing. Every invalid email in your database is a record you'll need to handle, validate, or clean up later. Your metrics are misleading. You report 10,000 signups, but only 9,200 are real. This makes it hard to understand your actual product-market fit. The timing matters enormously. If you validate after signup, you're working with incomplete information. The user might never complete email verification. They might give up. They might have a bad experience and abandon your product. This is the most insidious problem because it silently degrades your deliverability over time. You validate that an email exists, but you don't check whether it's legitimate—whether it's a real person you want in your system. Disposable email services like 10minutemail.com, tempmail.com, and guerrillamail.com are designed specifically to be temporary. Users sign up for them when they don't want to give you a real email address. Spam traps are even worse—they're email addresses that don't belong to real people but are monitored by ISPs to catch senders who validate against outdated or unreliable lists. Here's what the impact looks like over time. Let's build a scenario where you're not checking for these: Here's the damage this causes. Let's trace what happens over time: Month 1: You have 1,000 users. You don't realize that 80 of them used disposable emails and 15 used spam trap addresses. You start sending transactional emails (order confirmations, password resets). Month 2: Your bounce rate is 8%. The disposable users have lost access (those services delete inboxes after hours). The spam traps are flagging you as a problematic sender. Some ISPs start watching your reputation. Month 3: You send a marketing campaign to your 1,000 users. 800 go to inboxes, 150 go to spam folder, 50 bounce. Your metrics look bad. Month 4: Gmail, Yahoo, and Outlook have reduced trust in your sender reputation. Even emails to real users are being filtered to spam more aggressively. Your product launches a feature and tries to notify users—only 60% receive the notification because of reputation damage. The cost: If you'd validated properly at signup, that 8% bad data would have been 0%. You'd have 920 real users instead of 1,000 fake ones, but your email deliverability would be clean. That difference compounds—after a year, it could mean the difference between a successful email channel and a blocked one. Here's how to fix all three pitfalls in one solution. We'll validate the email in real-time during signup, before creating the user account, and check for disposable addresses and spam traps. First, the frontend stays simple and just collects the email. Don't do fancy validation there: Notice how the frontend is dumb—it just sends the email to the backend. The real magic happens there. The backend is where we use BillionVerify to do real validation: This is the complete fix. Notice the key difference: we validate the email before creating the user account, and we check not just for existence but also for disposable addresses and spam traps. If any of those checks fail, the user never gets created, and your database stays clean. Let me put a number on this. Let's say you're a SaaS product with a $99/month plan and 1,000 paying customers. Your churn rate is 5% per month (pretty standard for SaaS). At 1,000 paying customers, you need 50 new signups per day just to stay flat. If you're growing, you need more. With bad signup validation, maybe 8% of your 50 daily signups are invalid. That's 4 users per day, 120 per month, 1,440 per year who seem to convert but actually don't. They never verify their email, never use the product, never pay. You're spending money on onboarding emails that never arrive, support tickets from users who think your system is broken, and reputation damage from bounces. With proper validation, all 50 of those signups are real. Your verified user rate goes from 92% to 100%. Your email deliverability stays clean. Your support tickets from signup issues drop to nearly zero. It's not just about preventing bad data—it's about ensuring every user who signs up is actually a user who can use your product. The code examples above are complete and ready to use. Here's your implementation checklist: First, sign up for BillionVerify at https://billionverify.com/auth/sign-up. You'll get 100 free credits to test with, no credit card required. Grab your API key and set it as an environment variable. Then, integrate the Node.js code from the backend example into your signup endpoint. Test it with various emails: real ones, disposable ones, spam traps. You'll see immediately how it catches problems that regex would miss. Once you're confident it's working, deploy it to production. Your bounce rates will drop. Your user database will be cleaner. Your email reputation will improve. For detailed API documentation and additional options like batch validation, visit https://billionverify.com/docs. The difference between regex validation and real validation might seem small, but it compounds over time. Start today, and your future self will thank you. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. as well , this person and/or

Command

Copy

$ import React, { useState } from 'react'; function SignupForm() { const [email, setEmail] = useState(''); const [errors, setErrors] = useState({}); const [submitting, setSubmitting] = useState(false); // This is what most developers rely on const validateEmailFormat = (email) => { // RFC 5322 simplified regex (but still incomplete) const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; return emailRegex.test(email); }; const handleChange = (e) => { const value = e.target.value; setEmail(value); // Clear error when user starts typing if (errors.email) { setErrors({ ...errors, email: null }); } }; const handleSubmit = async (e) => { e.preventDefault(); const newErrors = {}; // Frontend validation if (!email) { newErrors.email = 'Email is required'; } else if (!validateEmailFormat(email)) { newErrors.email = 'Invalid email format'; } if (Object.keys(newErrors).length > 0) { setErrors(newErrors); return; } // If we get here, the email "looks valid" to us setSubmitting(true); try { // Send to backend const response = await fetch('/api/signup', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email, password: 'placeholder' }) }); if (response.ok) { alert('Signup successful!'); } else { const data = await response.json(); setErrors({ email: data.error || 'Signup failed' }); } } catch (error) { setErrors({ email: 'Network error occurred' }); } finally { setSubmitting(false); } }; return ( <form onSubmit={handleSubmit}> <div> <label htmlFor="email">Email Address</label> <input id="email" type="email" value={email} onChange={handleChange} placeholder="[email protected]" disabled={submitting} /> {errors.email && <span className="error">{errors.email}</span>} </div> <button type="submit" disabled={submitting}> {submitting ? 'Creating account...' : 'Sign up'} </button> </form> ); } export default SignupForm; COMMAND_BLOCK: import React, { useState } from 'react'; function SignupForm() { const [email, setEmail] = useState(''); const [errors, setErrors] = useState({}); const [submitting, setSubmitting] = useState(false); // This is what most developers rely on const validateEmailFormat = (email) => { // RFC 5322 simplified regex (but still incomplete) const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; return emailRegex.test(email); }; const handleChange = (e) => { const value = e.target.value; setEmail(value); // Clear error when user starts typing if (errors.email) { setErrors({ ...errors, email: null }); } }; const handleSubmit = async (e) => { e.preventDefault(); const newErrors = {}; // Frontend validation if (!email) { newErrors.email = 'Email is required'; } else if (!validateEmailFormat(email)) { newErrors.email = 'Invalid email format'; } if (Object.keys(newErrors).length > 0) { setErrors(newErrors); return; } // If we get here, the email "looks valid" to us setSubmitting(true); try { // Send to backend const response = await fetch('/api/signup', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email, password: 'placeholder' }) }); if (response.ok) { alert('Signup successful!'); } else { const data = await response.json(); setErrors({ email: data.error || 'Signup failed' }); } } catch (error) { setErrors({ email: 'Network error occurred' }); } finally { setSubmitting(false); } }; return ( <form onSubmit={handleSubmit}> <div> <label htmlFor="email">Email Address</label> <input id="email" type="email" value={email} onChange={handleChange} placeholder="[email protected]" disabled={submitting} /> {errors.email && <span className="error">{errors.email}</span>} </div> <button type="submit" disabled={submitting}> {submitting ? 'Creating account...' : 'Sign up'} </button> </form> ); } export default SignupForm; COMMAND_BLOCK: import React, { useState } from 'react'; function SignupForm() { const [email, setEmail] = useState(''); const [errors, setErrors] = useState({}); const [submitting, setSubmitting] = useState(false); // This is what most developers rely on const validateEmailFormat = (email) => { // RFC 5322 simplified regex (but still incomplete) const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; return emailRegex.test(email); }; const handleChange = (e) => { const value = e.target.value; setEmail(value); // Clear error when user starts typing if (errors.email) { setErrors({ ...errors, email: null }); } }; const handleSubmit = async (e) => { e.preventDefault(); const newErrors = {}; // Frontend validation if (!email) { newErrors.email = 'Email is required'; } else if (!validateEmailFormat(email)) { newErrors.email = 'Invalid email format'; } if (Object.keys(newErrors).length > 0) { setErrors(newErrors); return; } // If we get here, the email "looks valid" to us setSubmitting(true); try { // Send to backend const response = await fetch('/api/signup', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email, password: 'placeholder' }) }); if (response.ok) { alert('Signup successful!'); } else { const data = await response.json(); setErrors({ email: data.error || 'Signup failed' }); } } catch (error) { setErrors({ email: 'Network error occurred' }); } finally { setSubmitting(false); } }; return ( <form onSubmit={handleSubmit}> <div> <label htmlFor="email">Email Address</label> <input id="email" type="email" value={email} onChange={handleChange} placeholder="[email protected]" disabled={submitting} /> {errors.email && <span className="error">{errors.email}</span>} </div> <button type="submit" disabled={submitting}> {submitting ? 'Creating account...' : 'Sign up'} </button> </form> ); } export default SignupForm; CODE_BLOCK: [email protected] ✓ Passes (but it's a disposable -weight: 500;">service) [email protected] ✓ Passes (domain doesn't exist) [email protected] ✓ Passes (but might accept ANY address—it's catch-all) [email protected] ✓ Passes (but it's a spamtrap) contact@spam-list.io ✓ Passes (but will damage your reputation) CODE_BLOCK: [email protected] ✓ Passes (but it's a disposable -weight: 500;">service) [email protected] ✓ Passes (domain doesn't exist) [email protected] ✓ Passes (but might accept ANY address—it's catch-all) [email protected] ✓ Passes (but it's a spamtrap) contact@spam-list.io ✓ Passes (but will damage your reputation) CODE_BLOCK: [email protected] ✓ Passes (but it's a disposable -weight: 500;">service) [email protected] ✓ Passes (domain doesn't exist) [email protected] ✓ Passes (but might accept ANY address—it's catch-all) [email protected] ✓ Passes (but it's a spamtrap) contact@spam-list.io ✓ Passes (but will damage your reputation) COMMAND_BLOCK: // Node.js / Express backend const express = require('express'); const bcrypt = require('bcrypt'); const app = express(); app.use(express.json()); // Database connection (pseudocode) const db = require('./database'); // Simple validation function function isValidEmailFormat(email) { const regex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; return regex.test(email); } // The signup endpoint app.post('/api/signup', async (req, res) => { const { email, password } = req.body; try { // Validate format (frontend probably did this too) if (!isValidEmailFormat(email)) { return res.-weight: 500;">status(400).json({ error: 'Invalid email format' }); } // Check if user already exists const existingUser = await db.users.findOne({ email }); if (existingUser) { return res.-weight: 500;">status(409).json({ error: 'Email already registered' }); } // Hash the password const hashedPassword = await bcrypt.hash(password, 10); // Create the user in the database // This is the critical moment—we're committing to this email const user = await db.users.create({ email, password: hashedPassword, createdAt: new Date(), verified: false }); // Only NOW do we send a verification email // But at this point, we don't know if the email actually exists await sendVerificationEmail(email); res.-weight: 500;">status(201).json({ message: 'Account created. Check your email for verification link.', userId: user.id }); } catch (error) { console.error('Signup error:', error); res.-weight: 500;">status(500).json({ error: 'Signup failed' }); } }); // This runs hours or days later async function sendVerificationEmail(email) { // The user never receives this because: // - Email format was wrong (typo like gmai1.com) // - Domain is disposable and inaccessible // - Domain is a spamtrap // But we already created the account! const verificationToken = generateToken(); await db.verificationTokens.create({ email, token: verificationToken }); return sendEmail({ to: email, subject: 'Verify Your Email', html: `Click here to verify: https://example.com/verify?token=${verificationToken}` }); } COMMAND_BLOCK: // Node.js / Express backend const express = require('express'); const bcrypt = require('bcrypt'); const app = express(); app.use(express.json()); // Database connection (pseudocode) const db = require('./database'); // Simple validation function function isValidEmailFormat(email) { const regex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; return regex.test(email); } // The signup endpoint app.post('/api/signup', async (req, res) => { const { email, password } = req.body; try { // Validate format (frontend probably did this too) if (!isValidEmailFormat(email)) { return res.-weight: 500;">status(400).json({ error: 'Invalid email format' }); } // Check if user already exists const existingUser = await db.users.findOne({ email }); if (existingUser) { return res.-weight: 500;">status(409).json({ error: 'Email already registered' }); } // Hash the password const hashedPassword = await bcrypt.hash(password, 10); // Create the user in the database // This is the critical moment—we're committing to this email const user = await db.users.create({ email, password: hashedPassword, createdAt: new Date(), verified: false }); // Only NOW do we send a verification email // But at this point, we don't know if the email actually exists await sendVerificationEmail(email); res.-weight: 500;">status(201).json({ message: 'Account created. Check your email for verification link.', userId: user.id }); } catch (error) { console.error('Signup error:', error); res.-weight: 500;">status(500).json({ error: 'Signup failed' }); } }); // This runs hours or days later async function sendVerificationEmail(email) { // The user never receives this because: // - Email format was wrong (typo like gmai1.com) // - Domain is disposable and inaccessible // - Domain is a spamtrap // But we already created the account! const verificationToken = generateToken(); await db.verificationTokens.create({ email, token: verificationToken }); return sendEmail({ to: email, subject: 'Verify Your Email', html: `Click here to verify: https://example.com/verify?token=${verificationToken}` }); } COMMAND_BLOCK: // Node.js / Express backend const express = require('express'); const bcrypt = require('bcrypt'); const app = express(); app.use(express.json()); // Database connection (pseudocode) const db = require('./database'); // Simple validation function function isValidEmailFormat(email) { const regex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; return regex.test(email); } // The signup endpoint app.post('/api/signup', async (req, res) => { const { email, password } = req.body; try { // Validate format (frontend probably did this too) if (!isValidEmailFormat(email)) { return res.-weight: 500;">status(400).json({ error: 'Invalid email format' }); } // Check if user already exists const existingUser = await db.users.findOne({ email }); if (existingUser) { return res.-weight: 500;">status(409).json({ error: 'Email already registered' }); } // Hash the password const hashedPassword = await bcrypt.hash(password, 10); // Create the user in the database // This is the critical moment—we're committing to this email const user = await db.users.create({ email, password: hashedPassword, createdAt: new Date(), verified: false }); // Only NOW do we send a verification email // But at this point, we don't know if the email actually exists await sendVerificationEmail(email); res.-weight: 500;">status(201).json({ message: 'Account created. Check your email for verification link.', userId: user.id }); } catch (error) { console.error('Signup error:', error); res.-weight: 500;">status(500).json({ error: 'Signup failed' }); } }); // This runs hours or days later async function sendVerificationEmail(email) { // The user never receives this because: // - Email format was wrong (typo like gmai1.com) // - Domain is disposable and inaccessible // - Domain is a spamtrap // But we already created the account! const verificationToken = generateToken(); await db.verificationTokens.create({ email, token: verificationToken }); return sendEmail({ to: email, subject: 'Verify Your Email', html: `Click here to verify: https://example.com/verify?token=${verificationToken}` }); } COMMAND_BLOCK: # Python backend with Flask from flask import Flask, request, jsonify import os from datetime import datetime, timedelta import smtplib app = Flask(__name__) # Simple email format check (same problem as before) def validate_email_format(email): import re pattern = r'^[^\s@]+@[^\s@]+\.[^\s@]+$' return re.match(pattern, email) is not None # Database connection class Database: def __init__(self): # Pseudocode—in reality this would be SQLAlchemy or similar self.users = [] def create_user(self, email, password_hash): user = { 'id': len(self.users) + 1, 'email': email, 'password': password_hash, 'created_at': datetime.now(), 'verified': False } self.users.append(user) return user db = Database() @app.route('/api/signup', methods=['POST']) def signup(): data = request.json email = data.get('email', '').strip().lower() password = data.get('password', '') # Validation step 1: Format check only if not validate_email_format(email): return jsonify({'error': 'Invalid email format'}), 400 # Validation step 2: Check if exists (but we're about to create it) existing = next((u for u in db.users if u['email'] == email), None) if existing: return jsonify({'error': 'Email already registered'}), 409 # Create user immediately import hashlib password_hash = hashlib.sha256(password.encode()).hexdigest() user = db.create_user(email, password_hash) # Send verification email send_verification_email(email) return jsonify({ 'message': 'Account created. Verify your email to continue.', 'user_id': user['id'] }), 201 def send_verification_email(email): # This function will send to: # - [email protected] (temporary, user will lose access) # - admin@fake-domain.com (spam trap, damages reputation) # - catch-all@company.com (goes nowhere meaningful) # But we don't check for any of these verification_token = 'fake_token_' + os.urandom(16).hex() # Log that we're sending (we're not actually sending in this example) print(f'Verification email sent to {email}') print(f' Token: {verification_token}') print(f' Will reach user: {predict_email_reachability(email)}') def predict_email_reachability(email): """ This function is pseudocode to show what we're missing. A real implementation would check: - Is this a known disposable -weight: 500;">service? - Is this a spam trap? - Does the domain accept all addresses (catch-all)? - Is this a role-based email? """ disposable_domains = [ 'tempmail.com', '10minutemail.com', 'guerrillamail.com', 'mailinator.com', 'temp-mail.org', 'throwaway.email' ] spam_trap_domains = [ 'fake-domain.com', 'nonexistent-company.xyz', 'spamtrap.io' ] domain = email.split('@')[1] if domain in disposable_domains: return False # Won't reach user if domain in spam_trap_domains: return False # Will damage reputation return True # Probably fine (wrong!) # Example of what gets into your database if __name__ == '__main__': test_signups = [ ('[email protected]', 'password123'), # Real ('[email protected]', 'password456'), # Disposable ('admin@fake-domain.com', 'password789'), # Spam trap ('[email protected]', 'password000'), # Role account ] for email, password in test_signups: print(f'\nSignup: {email}') data = {'email': email, 'password': password} # This would call signup() in a real app reachability = predict_email_reachability(email) print(f' Can reach user: {reachability}') print(f' But we created account anyway!') COMMAND_BLOCK: # Python backend with Flask from flask import Flask, request, jsonify import os from datetime import datetime, timedelta import smtplib app = Flask(__name__) # Simple email format check (same problem as before) def validate_email_format(email): import re pattern = r'^[^\s@]+@[^\s@]+\.[^\s@]+$' return re.match(pattern, email) is not None # Database connection class Database: def __init__(self): # Pseudocode—in reality this would be SQLAlchemy or similar self.users = [] def create_user(self, email, password_hash): user = { 'id': len(self.users) + 1, 'email': email, 'password': password_hash, 'created_at': datetime.now(), 'verified': False } self.users.append(user) return user db = Database() @app.route('/api/signup', methods=['POST']) def signup(): data = request.json email = data.get('email', '').strip().lower() password = data.get('password', '') # Validation step 1: Format check only if not validate_email_format(email): return jsonify({'error': 'Invalid email format'}), 400 # Validation step 2: Check if exists (but we're about to create it) existing = next((u for u in db.users if u['email'] == email), None) if existing: return jsonify({'error': 'Email already registered'}), 409 # Create user immediately import hashlib password_hash = hashlib.sha256(password.encode()).hexdigest() user = db.create_user(email, password_hash) # Send verification email send_verification_email(email) return jsonify({ 'message': 'Account created. Verify your email to continue.', 'user_id': user['id'] }), 201 def send_verification_email(email): # This function will send to: # - [email protected] (temporary, user will lose access) # - admin@fake-domain.com (spam trap, damages reputation) # - catch-all@company.com (goes nowhere meaningful) # But we don't check for any of these verification_token = 'fake_token_' + os.urandom(16).hex() # Log that we're sending (we're not actually sending in this example) print(f'Verification email sent to {email}') print(f' Token: {verification_token}') print(f' Will reach user: {predict_email_reachability(email)}') def predict_email_reachability(email): """ This function is pseudocode to show what we're missing. A real implementation would check: - Is this a known disposable -weight: 500;">service? - Is this a spam trap? - Does the domain accept all addresses (catch-all)? - Is this a role-based email? """ disposable_domains = [ 'tempmail.com', '10minutemail.com', 'guerrillamail.com', 'mailinator.com', 'temp-mail.org', 'throwaway.email' ] spam_trap_domains = [ 'fake-domain.com', 'nonexistent-company.xyz', 'spamtrap.io' ] domain = email.split('@')[1] if domain in disposable_domains: return False # Won't reach user if domain in spam_trap_domains: return False # Will damage reputation return True # Probably fine (wrong!) # Example of what gets into your database if __name__ == '__main__': test_signups = [ ('[email protected]', 'password123'), # Real ('[email protected]', 'password456'), # Disposable ('admin@fake-domain.com', 'password789'), # Spam trap ('[email protected]', 'password000'), # Role account ] for email, password in test_signups: print(f'\nSignup: {email}') data = {'email': email, 'password': password} # This would call signup() in a real app reachability = predict_email_reachability(email) print(f' Can reach user: {reachability}') print(f' But we created account anyway!') COMMAND_BLOCK: # Python backend with Flask from flask import Flask, request, jsonify import os from datetime import datetime, timedelta import smtplib app = Flask(__name__) # Simple email format check (same problem as before) def validate_email_format(email): import re pattern = r'^[^\s@]+@[^\s@]+\.[^\s@]+$' return re.match(pattern, email) is not None # Database connection class Database: def __init__(self): # Pseudocode—in reality this would be SQLAlchemy or similar self.users = [] def create_user(self, email, password_hash): user = { 'id': len(self.users) + 1, 'email': email, 'password': password_hash, 'created_at': datetime.now(), 'verified': False } self.users.append(user) return user db = Database() @app.route('/api/signup', methods=['POST']) def signup(): data = request.json email = data.get('email', '').strip().lower() password = data.get('password', '') # Validation step 1: Format check only if not validate_email_format(email): return jsonify({'error': 'Invalid email format'}), 400 # Validation step 2: Check if exists (but we're about to create it) existing = next((u for u in db.users if u['email'] == email), None) if existing: return jsonify({'error': 'Email already registered'}), 409 # Create user immediately import hashlib password_hash = hashlib.sha256(password.encode()).hexdigest() user = db.create_user(email, password_hash) # Send verification email send_verification_email(email) return jsonify({ 'message': 'Account created. Verify your email to continue.', 'user_id': user['id'] }), 201 def send_verification_email(email): # This function will send to: # - [email protected] (temporary, user will lose access) # - admin@fake-domain.com (spam trap, damages reputation) # - catch-all@company.com (goes nowhere meaningful) # But we don't check for any of these verification_token = 'fake_token_' + os.urandom(16).hex() # Log that we're sending (we're not actually sending in this example) print(f'Verification email sent to {email}') print(f' Token: {verification_token}') print(f' Will reach user: {predict_email_reachability(email)}') def predict_email_reachability(email): """ This function is pseudocode to show what we're missing. A real implementation would check: - Is this a known disposable -weight: 500;">service? - Is this a spam trap? - Does the domain accept all addresses (catch-all)? - Is this a role-based email? """ disposable_domains = [ 'tempmail.com', '10minutemail.com', 'guerrillamail.com', 'mailinator.com', 'temp-mail.org', 'throwaway.email' ] spam_trap_domains = [ 'fake-domain.com', 'nonexistent-company.xyz', 'spamtrap.io' ] domain = email.split('@')[1] if domain in disposable_domains: return False # Won't reach user if domain in spam_trap_domains: return False # Will damage reputation return True # Probably fine (wrong!) # Example of what gets into your database if __name__ == '__main__': test_signups = [ ('[email protected]', 'password123'), # Real ('[email protected]', 'password456'), # Disposable ('admin@fake-domain.com', 'password789'), # Spam trap ('[email protected]', 'password000'), # Role account ] for email, password in test_signups: print(f'\nSignup: {email}') data = {'email': email, 'password': password} # This would call signup() in a real app reachability = predict_email_reachability(email) print(f' Can reach user: {reachability}') print(f' But we created account anyway!') COMMAND_BLOCK: import React, { useState } from 'react'; function SignupForm() { const [email, setEmail] = useState(''); const [password, setPassword] = useState(''); const [loading, setLoading] = useState(false); const [error, setError] = useState(null); const [success, setSuccess] = useState(false); const handleSubmit = async (e) => { e.preventDefault(); setError(null); setLoading(true); try { // Send to backend for real validation const response = await fetch('/api/signup', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email, password }) }); const data = await response.json(); if (!response.ok) { // Backend will tell us if email is invalid, disposable, spam trap, etc. setError(data.error || 'Signup failed'); return; } setSuccess(true); setEmail(''); setPassword(''); } catch (error) { setError('Network error. Please try again.'); } finally { setLoading(false); } }; return ( <form onSubmit={handleSubmit}> <div> <label htmlFor="email">Email Address</label> <input id="email" type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="[email protected]" required disabled={loading} /> </div> <div> <label htmlFor="password">Password</label> <input id="password" type="password" value={password} onChange={(e) => setPassword(e.target.value)} required disabled={loading} /> </div> {error && <div className="error">{error}</div>} {success && <div className="success">Account created! Check your email.</div>} <button type="submit" disabled={loading}> {loading ? 'Creating account...' : 'Sign up'} </button> </form> ); } export default SignupForm; COMMAND_BLOCK: import React, { useState } from 'react'; function SignupForm() { const [email, setEmail] = useState(''); const [password, setPassword] = useState(''); const [loading, setLoading] = useState(false); const [error, setError] = useState(null); const [success, setSuccess] = useState(false); const handleSubmit = async (e) => { e.preventDefault(); setError(null); setLoading(true); try { // Send to backend for real validation const response = await fetch('/api/signup', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email, password }) }); const data = await response.json(); if (!response.ok) { // Backend will tell us if email is invalid, disposable, spam trap, etc. setError(data.error || 'Signup failed'); return; } setSuccess(true); setEmail(''); setPassword(''); } catch (error) { setError('Network error. Please try again.'); } finally { setLoading(false); } }; return ( <form onSubmit={handleSubmit}> <div> <label htmlFor="email">Email Address</label> <input id="email" type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="[email protected]" required disabled={loading} /> </div> <div> <label htmlFor="password">Password</label> <input id="password" type="password" value={password} onChange={(e) => setPassword(e.target.value)} required disabled={loading} /> </div> {error && <div className="error">{error}</div>} {success && <div className="success">Account created! Check your email.</div>} <button type="submit" disabled={loading}> {loading ? 'Creating account...' : 'Sign up'} </button> </form> ); } export default SignupForm; COMMAND_BLOCK: import React, { useState } from 'react'; function SignupForm() { const [email, setEmail] = useState(''); const [password, setPassword] = useState(''); const [loading, setLoading] = useState(false); const [error, setError] = useState(null); const [success, setSuccess] = useState(false); const handleSubmit = async (e) => { e.preventDefault(); setError(null); setLoading(true); try { // Send to backend for real validation const response = await fetch('/api/signup', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email, password }) }); const data = await response.json(); if (!response.ok) { // Backend will tell us if email is invalid, disposable, spam trap, etc. setError(data.error || 'Signup failed'); return; } setSuccess(true); setEmail(''); setPassword(''); } catch (error) { setError('Network error. Please try again.'); } finally { setLoading(false); } }; return ( <form onSubmit={handleSubmit}> <div> <label htmlFor="email">Email Address</label> <input id="email" type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="[email protected]" required disabled={loading} /> </div> <div> <label htmlFor="password">Password</label> <input id="password" type="password" value={password} onChange={(e) => setPassword(e.target.value)} required disabled={loading} /> </div> {error && <div className="error">{error}</div>} {success && <div className="success">Account created! Check your email.</div>} <button type="submit" disabled={loading}> {loading ? 'Creating account...' : 'Sign up'} </button> </form> ); } export default SignupForm; COMMAND_BLOCK: // Node.js / Express backend with real email validation const express = require('express'); const https = require('https'); const bcrypt = require('bcrypt'); const app = express(); app.use(express.json()); // Database pseudocode const db = require('./database'); class BillionVerifyClient { constructor(apiKey) { this.apiKey = apiKey; } async verify(email) { return new Promise((resolve, reject) => { const requestBody = JSON.stringify({ email: email, check_smtp: true }); const options = { hostname: 'api.billionverify.com', path: '/v1/verify/single', method: 'POST', headers: { 'BV-API-KEY': this.apiKey, 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(requestBody), 'User-Agent': 'MyApp-Signup/1.0', 'Connection': 'keep-alive' }, timeout: 5000 }; const req = https.request(options, (res) => { let data = ''; res.on('data', (chunk) => { data += chunk; }); res.on('end', () => { try { const result = JSON.parse(data); resolve(result); } catch (error) { reject(new Error('Invalid API response')); } }); }); req.on('error', reject); req.on('timeout', () => { req.destroy(); reject(new Error('Validation timeout')); }); req.write(requestBody); req.end(); }); } } const verifier = new BillionVerifyClient(process.env.BILLIONVERIFY_API_KEY); // The signup endpoint—now with real validation app.post('/api/signup', async (req, res) => { const { email, password } = req.body; try { // Step 1: Basic format check (just to catch obviously broken input) if (!email || !email.includes('@')) { return res.-weight: 500;">status(400).json({ error: 'Invalid email format' }); } // Step 2: Check if already registered const existingUser = await db.users.findOne({ email: email.toLowerCase() }); if (existingUser) { return res.-weight: 500;">status(409).json({ error: 'Email already registered' }); } // Step 3: REAL VALIDATION via BillionVerify // This is the critical difference—we validate BEFORE creating the account let validationResult; try { validationResult = await verifier.verify(email); } catch (error) { console.error('Validation -weight: 500;">service error:', error); // Fail closed: if we can't validate, reject the signup // This protects your reputation return res.-weight: 500;">status(503).json({ error: 'Email validation -weight: 500;">service temporarily unavailable. Try again later.' }); } // Step 4: Apply business rules based on validation result if (validationResult.-weight: 500;">status !== 'valid') { return res.-weight: 500;">status(400).json({ error: 'This email address does not exist or is not valid' }); } if (validationResult.is_disposable) { return res.-weight: 500;">status(400).json({ error: 'Please use a permanent email address, not a temporary one' }); } if (validationResult.is_spam_trap) { // This is a security issue—someone might be testing our system console.warn(`Spam trap signup attempt: ${email}`); return res.-weight: 500;">status(400).json({ error: 'This email address cannot be used' }); } // Step 5: Only NOW create the user account // We know the email is real, permanent, and not a spam trap const hashedPassword = await bcrypt.hash(password, 10); const user = await db.users.create({ email: email.toLowerCase(), password: hashedPassword, createdAt: new Date(), verified: false, validationData: { // Store validation data for future reference isValid: true, isCatchAll: validationResult.is_catch_all, isRoleAccount: validationResult.is_role_account, validatedAt: new Date() } }); // Step 6: Send verification email to an address we trust // The user can now actually receive and verify the email await sendVerificationEmail(email, user.id); res.-weight: 500;">status(201).json({ message: 'Account created successfully! Check your email to verify.', userId: user.id }); } catch (error) { console.error('Signup error:', error); res.-weight: 500;">status(500).json({ error: 'Signup failed. Please try again.' }); } }); async function sendVerificationEmail(email, userId) { // In a real app, this would use nodemailer or a -weight: 500;">service like SendGrid const token = generateVerificationToken(userId); // Store token in database await db.verificationTokens.create({ userId, email, token, expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000) }); // Send email (pseudocode) console.log(`Verification email sent to ${email}`); console.log(`Link: https://example.com/verify?token=${token}`); } function generateVerificationToken(userId) { const crypto = require('crypto'); return crypto.randomBytes(32).toString('hex'); } app.listen(3000, () => console.log('Server running on port 3000')); COMMAND_BLOCK: // Node.js / Express backend with real email validation const express = require('express'); const https = require('https'); const bcrypt = require('bcrypt'); const app = express(); app.use(express.json()); // Database pseudocode const db = require('./database'); class BillionVerifyClient { constructor(apiKey) { this.apiKey = apiKey; } async verify(email) { return new Promise((resolve, reject) => { const requestBody = JSON.stringify({ email: email, check_smtp: true }); const options = { hostname: 'api.billionverify.com', path: '/v1/verify/single', method: 'POST', headers: { 'BV-API-KEY': this.apiKey, 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(requestBody), 'User-Agent': 'MyApp-Signup/1.0', 'Connection': 'keep-alive' }, timeout: 5000 }; const req = https.request(options, (res) => { let data = ''; res.on('data', (chunk) => { data += chunk; }); res.on('end', () => { try { const result = JSON.parse(data); resolve(result); } catch (error) { reject(new Error('Invalid API response')); } }); }); req.on('error', reject); req.on('timeout', () => { req.destroy(); reject(new Error('Validation timeout')); }); req.write(requestBody); req.end(); }); } } const verifier = new BillionVerifyClient(process.env.BILLIONVERIFY_API_KEY); // The signup endpoint—now with real validation app.post('/api/signup', async (req, res) => { const { email, password } = req.body; try { // Step 1: Basic format check (just to catch obviously broken input) if (!email || !email.includes('@')) { return res.-weight: 500;">status(400).json({ error: 'Invalid email format' }); } // Step 2: Check if already registered const existingUser = await db.users.findOne({ email: email.toLowerCase() }); if (existingUser) { return res.-weight: 500;">status(409).json({ error: 'Email already registered' }); } // Step 3: REAL VALIDATION via BillionVerify // This is the critical difference—we validate BEFORE creating the account let validationResult; try { validationResult = await verifier.verify(email); } catch (error) { console.error('Validation -weight: 500;">service error:', error); // Fail closed: if we can't validate, reject the signup // This protects your reputation return res.-weight: 500;">status(503).json({ error: 'Email validation -weight: 500;">service temporarily unavailable. Try again later.' }); } // Step 4: Apply business rules based on validation result if (validationResult.-weight: 500;">status !== 'valid') { return res.-weight: 500;">status(400).json({ error: 'This email address does not exist or is not valid' }); } if (validationResult.is_disposable) { return res.-weight: 500;">status(400).json({ error: 'Please use a permanent email address, not a temporary one' }); } if (validationResult.is_spam_trap) { // This is a security issue—someone might be testing our system console.warn(`Spam trap signup attempt: ${email}`); return res.-weight: 500;">status(400).json({ error: 'This email address cannot be used' }); } // Step 5: Only NOW create the user account // We know the email is real, permanent, and not a spam trap const hashedPassword = await bcrypt.hash(password, 10); const user = await db.users.create({ email: email.toLowerCase(), password: hashedPassword, createdAt: new Date(), verified: false, validationData: { // Store validation data for future reference isValid: true, isCatchAll: validationResult.is_catch_all, isRoleAccount: validationResult.is_role_account, validatedAt: new Date() } }); // Step 6: Send verification email to an address we trust // The user can now actually receive and verify the email await sendVerificationEmail(email, user.id); res.-weight: 500;">status(201).json({ message: 'Account created successfully! Check your email to verify.', userId: user.id }); } catch (error) { console.error('Signup error:', error); res.-weight: 500;">status(500).json({ error: 'Signup failed. Please try again.' }); } }); async function sendVerificationEmail(email, userId) { // In a real app, this would use nodemailer or a -weight: 500;">service like SendGrid const token = generateVerificationToken(userId); // Store token in database await db.verificationTokens.create({ userId, email, token, expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000) }); // Send email (pseudocode) console.log(`Verification email sent to ${email}`); console.log(`Link: https://example.com/verify?token=${token}`); } function generateVerificationToken(userId) { const crypto = require('crypto'); return crypto.randomBytes(32).toString('hex'); } app.listen(3000, () => console.log('Server running on port 3000')); COMMAND_BLOCK: // Node.js / Express backend with real email validation const express = require('express'); const https = require('https'); const bcrypt = require('bcrypt'); const app = express(); app.use(express.json()); // Database pseudocode const db = require('./database'); class BillionVerifyClient { constructor(apiKey) { this.apiKey = apiKey; } async verify(email) { return new Promise((resolve, reject) => { const requestBody = JSON.stringify({ email: email, check_smtp: true }); const options = { hostname: 'api.billionverify.com', path: '/v1/verify/single', method: 'POST', headers: { 'BV-API-KEY': this.apiKey, 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(requestBody), 'User-Agent': 'MyApp-Signup/1.0', 'Connection': 'keep-alive' }, timeout: 5000 }; const req = https.request(options, (res) => { let data = ''; res.on('data', (chunk) => { data += chunk; }); res.on('end', () => { try { const result = JSON.parse(data); resolve(result); } catch (error) { reject(new Error('Invalid API response')); } }); }); req.on('error', reject); req.on('timeout', () => { req.destroy(); reject(new Error('Validation timeout')); }); req.write(requestBody); req.end(); }); } } const verifier = new BillionVerifyClient(process.env.BILLIONVERIFY_API_KEY); // The signup endpoint—now with real validation app.post('/api/signup', async (req, res) => { const { email, password } = req.body; try { // Step 1: Basic format check (just to catch obviously broken input) if (!email || !email.includes('@')) { return res.-weight: 500;">status(400).json({ error: 'Invalid email format' }); } // Step 2: Check if already registered const existingUser = await db.users.findOne({ email: email.toLowerCase() }); if (existingUser) { return res.-weight: 500;">status(409).json({ error: 'Email already registered' }); } // Step 3: REAL VALIDATION via BillionVerify // This is the critical difference—we validate BEFORE creating the account let validationResult; try { validationResult = await verifier.verify(email); } catch (error) { console.error('Validation -weight: 500;">service error:', error); // Fail closed: if we can't validate, reject the signup // This protects your reputation return res.-weight: 500;">status(503).json({ error: 'Email validation -weight: 500;">service temporarily unavailable. Try again later.' }); } // Step 4: Apply business rules based on validation result if (validationResult.-weight: 500;">status !== 'valid') { return res.-weight: 500;">status(400).json({ error: 'This email address does not exist or is not valid' }); } if (validationResult.is_disposable) { return res.-weight: 500;">status(400).json({ error: 'Please use a permanent email address, not a temporary one' }); } if (validationResult.is_spam_trap) { // This is a security issue—someone might be testing our system console.warn(`Spam trap signup attempt: ${email}`); return res.-weight: 500;">status(400).json({ error: 'This email address cannot be used' }); } // Step 5: Only NOW create the user account // We know the email is real, permanent, and not a spam trap const hashedPassword = await bcrypt.hash(password, 10); const user = await db.users.create({ email: email.toLowerCase(), password: hashedPassword, createdAt: new Date(), verified: false, validationData: { // Store validation data for future reference isValid: true, isCatchAll: validationResult.is_catch_all, isRoleAccount: validationResult.is_role_account, validatedAt: new Date() } }); // Step 6: Send verification email to an address we trust // The user can now actually receive and verify the email await sendVerificationEmail(email, user.id); res.-weight: 500;">status(201).json({ message: 'Account created successfully! Check your email to verify.', userId: user.id }); } catch (error) { console.error('Signup error:', error); res.-weight: 500;">status(500).json({ error: 'Signup failed. Please try again.' }); } }); async function sendVerificationEmail(email, userId) { // In a real app, this would use nodemailer or a -weight: 500;">service like SendGrid const token = generateVerificationToken(userId); // Store token in database await db.verificationTokens.create({ userId, email, token, expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000) }); // Send email (pseudocode) console.log(`Verification email sent to ${email}`); console.log(`Link: https://example.com/verify?token=${token}`); } function generateVerificationToken(userId) { const crypto = require('crypto'); return crypto.randomBytes(32).toString('hex'); } app.listen(3000, () => console.log('Server running on port 3000')); - Your database is polluted with bad emails. You now have 10,000 users but maybe 800 of them have invalid emails. Cleaning this up later is expensive. - Verification emails don't reach the user. They sign up, click the verification link... except they never receive the email because it's a disposable address or spamtrap. They think your system is broken. - You've already paid for storage and computing. Every invalid email in your database is a record you'll need to handle, validate, or clean up later. - Your metrics are misleading. You report 10,000 signups, but only 9,200 are real. This makes it hard to understand your actual product-market fit.

🏷️ Tags

toolsutilitiessecurity toolscriticalpitfallssignupvalidationpitfall

More from Tools

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

2026-03-30 0
Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

2026-03-30 0
Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

2026-03-30 0
Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

2026-03-30 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views