PHP :: Bug #65141 :: filter_var() validates URL with two http:// as valid

Bug #65141

filter_var() validates URL with two http:// as valid

Submitted:

2013-06-27 03:39 UTC

Modified:

2013-07-02 08:21 UTC

Votes:	2
Avg. Score:	3.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	2 (100.0%)

From:

demtheman at yahoo dot com

Assigned:

Status:

Not a bug

Package:

URL related

PHP Version:

5.3.26

OS:

Windows 7 64-bit

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	demtheman at yahoo dot com
New email:
PHP Version:		OS:

New Comment:

[2013-06-27 03:39 UTC] demtheman at yahoo dot com

Description:
------------
I used filter_var() to validate the URL http://http://www.google.com (as test 
URL), however it seems to see it as valid which in fact is wrong. Refer to my SO 
question http://stackoverflow.com/questions/17333612/filter-var-accepts-invalid-
url

Test script:
---------------
$website = "http://http://www.google.com";

echo filter_var($website, FILTER_VALIDATE_URL);

Expected result:
----------------
The filter_var() should return FALSE.

Actual result:
--------------
The filter_var() returns the filtered data.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-06-27 20:56 UTC] cmbecker69 at gmx dot de

According to RFC 2396 Appendix A the example URI doesn't seem to be valid, 
even if it passes the regular expression given in Appendix B.

However, filter_var($var, FILTER_VALIDATE_URL) is based on parse_url().
parse_url('http://http://example.com') evaluates to:
Array
(
    [scheme] => http
    [host] => http
    [path] => //example.com
)
This is apparently wrong in this case according to RFC 2396; neither an abs_path 
nor a rel_path must start with a double slash.

[2013-06-28 21:02 UTC] cmbecker69 at gmx dot de

As Thomas Lahn pointed out in comp.lang.php
(<7348494.GbytuHRu9D@PointedEars.de>)
the mentioned URI (there was used a slightly different URI, 
but that doesn't matter in this case, as the productions can be adapted)
is actually valid according to RFC 2396.

[2013-07-02 08:21 UTC] ab@php.net

-Status: Open +Status: Not a bug

[2013-07-02 08:21 UTC] ab@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Here's the RFC http://www.ietf.org/rfc/rfc2396.txt

Quick BNF evaluation

absoluteURI
	scheme http
	:
	hier_part
		net_path
			//
			authority
				server
					hostport http:

			abs_path
				/
				segment
				segment /www.google.com

That's pretty matchin with the RFC.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Nov 03 21:00:01 2025 UTC