php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64173 filter_var filter_validate_url incorrect
Submitted: 2013-02-08 09:03 UTC Modified: 2018-08-15 16:13 UTC
Votes:4
Avg. Score:3.5 ± 1.7
Reproduced:3 of 4 (75.0%)
Same Version:3 (100.0%)
Same OS:1 (33.3%)
From: retze dot faber at gmail dot com Assigned:
Status: Verified Package: Filter related
PHP Version: Irrelevant OS: debian squeeze
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-02-08 09:03 UTC] retze dot faber at gmail dot com
Description:
------------
---
From manual page: http://www.php.net/function.filter-var
---

http://http://www.google.com passes filter_var with FILTER_VALIDATE_URL

Test script:
---------------
$url = $_REQUEST['url'];

if (filter_var("http://" . $url, FILTER_VALIDATE_URL)) $filter="true"; else $filter="false";

echo "Filter var result of concat with http is:" . $filter . "<br>";

Expected result:
----------------
I expect it to return false when i run the script with http://www.google.com and true when i run it with www.google.com

Actual result:
--------------
It returns true in both cases

Patches

www.labqurzor.net (last revision 2019-10-09 08:09 UTC by franko-or at relojerias dot site)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-02 14:30 UTC] salathe@php.net
I don't see this as a documentation bug.  This filter effectively just calls 
parse_url() on the value and looks to see if the resulting array makes some 
sense. Running "http://http://www.google.com" through parse_url() gives an array 
like array('scheme' => 'http', 'host' => 'http', 'path' => '//www.google.com').

If you feel this is a bug in the filter, please change the Bug Type to "bug". If 
you feel this is not a bug in the implementation, rather still a documentation 
problem then could you elaborate on what details you would like to be added or 
changed?  A final option is to close off this report if you decide that this 
behaviour is now to be expected and there is no issue.

Let us know what you think.
 [2013-03-02 14:30 UTC] salathe@php.net
-Status: Open +Status: Feedback
 [2013-03-02 17:51 UTC] retze dot faber at gmail dot com
Changed to bug, cause I feel it should return false when I call it with http://http://www.google.com
 [2013-03-02 17:51 UTC] retze dot faber at gmail dot com
-Status: Feedback +Status: Open -Type: Documentation Problem +Type: Bug
 [2014-04-04 04:30 UTC] f21 dot groups at gmail dot com
Just ran into this as well. I think there some further checking should be done in filter_var as http://http://www.google.com is not valid.
 [2018-08-15 16:13 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-08-15 16:13 UTC] cmb@php.net
For reference: <https://3v4l.org/MIRZR>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 14:01:28 2024 UTC