Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

https://www.php.net/manual/en/filter.filters.validate.php
> Validates value as URL (according to » http://www.faqs.org/rfcs/rfc2396),
> optionally with required components. Beware a valid URL may not specify the HTTP
> protocol http:// so further validation may be required to determine the URL uses
> an expected protocol, e.g. ssh:// or mailto:. Note that the function will only
> find ASCII URLs to be valid; internationalized domain names (containing non-
> ASCII characters) will fail.

FILTER_VALIDATE_URL validates URLs, not URIs.

I think it is still a bug (or misdocumentation), you are referring to the http://www.faqs.org/rfcs/rfc2396.html in your manual for this function regardless what it is called which is about URIs, so it should either specify that only URLs are being validated or URIs too.

Also... for example `news:comp.infosystems.www.servers.unix` is not a URL either however it passes the validation regardless.

> I think it is still a bug (or misdocumentation), you are referring to the
> http://www.faqs.org/rfcs/rfc2396.html in your manual for this function
> regardless what it is called which is about URIs, so it should either specify
> that only URLs are being validated or URIs too.

RFC 2396 defines the hierarchical format of a URL, which is why it's mentioned. Read section 1.2 to understand the difference between a URL and a URN.

> Also... for example `news:comp.infosystems.www.servers.unix` is not a URL either
> however it passes the validation regardless.

Take another look:

Section 1.2
> The term "Uniform Resource Locator" (URL) refers to the subset of URI that
> identify resources via a representation of their primary access mechanism (e.g.,
> their network "location"), rather than identifying the resource by name or by
> some other attribute(s) of that resource.

https://en.wikipedia.org/wiki/URL
> A Uniform Resource Locator (URL), colloquially termed a web address, is a
> reference to a web resource that specifies its location on a computer network
> and a mechanism for retrieving it. A URL is a specific type of Uniform Resource
> Identifier (URI), although many people use the two terms interchangeably. URLs
> occur most commonly to reference web pages (http), but are also used for file
> transfer (ftp), email (mailto), database access (JDBC), and many other
> applications.

So actually yes, it *is* a URL. It may not be the type of URL that most people are familiar with, like those starting with "http(s)" or containing a "www" or ".com", but it still is one.

I see, right, I've also checked in the meanwhile.

Maybe it should be emphasized in the manual that it does *not* validate an URI only URLs from the RFC? It seems like it is not clear for everyone (wasn't for me either, it is now :) ) what is the actual difference between URLs and URIs and/or why it won't validate URIs.

This issue actually came up with a URI validator from a php library that uses this function and actually fails on validating URIs because of misusing the FILTER_VALIDATE_URL function for this purpose.

Also there should be maybe a filter function for URIs such as FILTER_VALIDATE_URI? Should I open a feature request for that?

Sorry for the inconveniences and thank you very much for your explanation.

> Maybe it should be emphasized in the manual that it does *not* validate an URI
> only URLs from the RFC?

Fair.

If you have an idea for what it should say, the documentation is open source and accepts pull requests on GitHub...
https://github.com/php/doc-en/blob/master/reference/filter/constants.xml

> Also there should be maybe a filter function for URIs such as FILTER_VALIDATE_URI?

The problem with URIs is that they're simply <scheme>:<extra> and the extra portion varies: "tel" looks one way and "http" looks another way and "news" is different still, and that means complexity about how to validate various schemes and which ones should even be allowed...

Validating URNs seems more reasonable, but is there a need for that? They aren't even that complex: "urn:" + identifier + ":" + mostly arbitrary characters, and explode() can handle that quite easily. I'd probably use a regular expression for it.

IMO this is one of those situations where PHP *could* do it, but there's a lot of complexity and nuances and not a whole lot of need, so an implementation is probably better left up to the community.