Improper validation of Email

1.goto https://bridge.cspr.ng/my/account here no rate limit present for email and display name,real name i just entered 1000 character length email in email field and it accepted also for the display name ,real name another there is no regular expression to check valid email if u give email as "aaaaaa", "a++++++++", "vdadva*$'/@4%$123", "sdfsjghg@something" all will be accepted as valid email Also 500+ character email also valid according to your code here is the specification for email address https://en.wikipedia.org/wiki/Email_address and email id must be <254 character as email id strored in mysql as VARCHAR(128), so all the trailing character in mysql db will be truncted if your email like [email protected] and you entered as [email protected],then still you receave email in [email protected] MITIGATION: you must use filter_var($email, FILTER_VALIDATE_EMAIL) to validate email or use Regex like /^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/