php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77331 FILTER_VALIDATE_DOMAIN fail on example.org/wat
Submitted: 2018-12-20 22:22 UTC Modified: 2021-04-06 15:23 UTC
Votes:8
Avg. Score:3.4 ± 1.6
Reproduced:6 of 6 (100.0%)
Same Version:5 (83.3%)
Same OS:4 (66.7%)
From: divinity76 at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: Unknown/Other Function
PHP Version: 7.2 OS: Win7 x64 & Ubuntu 18.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: divinity76 at gmail dot com
New email:
PHP Version: OS:

 

 [2018-12-20 22:22 UTC] divinity76 at gmail dot com 
Description:
------------
FILTER_VALIDATE_DOMAIN fail to realize that "example.org/wat" is not a domain (URL? guess you can say that. domain? don't think so.) - interestingly, FILTER_VALIDATE_DOMAIN works fine if FILTER_FLAG_HOSTNAME is provided, the bug is only present when FILTER_FLAG_HOSTNAME is not provided.

Test script:
---------------
<?php

var_dump(
    filter_var('example.org/wat',FILTER_VALIDATE_DOMAIN),
    filter_var('example.org/wat',FILTER_VALIDATE_DOMAIN,FILTER_FLAG_HOSTNAME)
    );


Expected result:
----------------
bool(false)
bool(false)

Actual result:
--------------
string(15) "example.org/wat"
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-20 23:28 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 7.3.0 +PHP Version: 7.2
 [2018-12-20 23:29 UTC] cmb@php.net 
See <https://3v4l.org/QRW3K>.
 [2018-12-22 03:36 UTC] a at b dot c dot de 
FILTER_VALIDATE_DOMAIN is only looking at the lengths of the domain string and those of the bits between '.' characters (this is documented but doesn't seem hugely useful).

var_dump(
 filter_var('***.****',FILTER_VALIDATE_DOMAIN),
 filter_var('!',FILTER_VALIDATE_DOMAIN),
 filter_var('*******',FILTER_VALIDATE_DOMAIN),
 filter_var(str_repeat('*', 63),FILTER_VALIDATE_DOMAIN),
 filter_var(str_repeat('*', 64),FILTER_VALIDATE_DOMAIN) // Too long
);

Meanwhile, FILTER_FLAG_HOSTNAME rejects domains with legal hyphens:

var_dump(
 // A hyphen with a well-known story behind it
 filter_var('experts-exchange.com',
            FILTER_VALIDATE_DOMAIN | FILTER_FLAG_HOSTNAME),
 // Punycode (Greek test TLD)
 filter_var('xn--jxalpdlp',
            FILTER_VALIDATE_DOMAIN | FILTER_FLAG_HOSTNAME)
);
 [2018-12-22 09:09 UTC] divinity76 at gmail dot com 
@ a at b dot c dot de , 

this is not a comment on the validity of your claim, but you are using filter_var wrong, FILTER_FLAG_HOSTNAME goes as the third parameter, it is not supposed to be bitwise-or'ed into the 2nd parameter. (filter_var is weird, check the docs)
 [2018-12-22 14:22 UTC] php at bitm dot sg 
I want to add here that a whitespace and empty string should probably pass in the future. Empty string refers to the DNS Root: https://en.wikipedia.org/wiki/Fully_qualified_domain_name#Syntax
 [2019-01-24 19:21 UTC] divinity76 at gmail dot com 
@ a at b dot c dot de

quote > Meanwhile, FILTER_FLAG_HOSTNAME rejects domains with legal hyphens:

- actually, when filter_var is user properly, it allows those domains (FILTER_FLAG_HOSTNAME goes as the third argument, don't xor it into the 2nd argument)

var_dump(
 // A hyphen with a well-known story behind it
 filter_var('experts-exchange.com',
            FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME),
 // Punycode (Greek test TLD)
 filter_var('xn--jxalpdlp',
            FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)
);



returns bool(true) bool(true)
 [2021-04-06 15:23 UTC] cmb@php.net
-Status: Verified +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2021-04-06 15:23 UTC] cmb@php.net 
FILTER_VALIDATE_DOMAIN without FILTER_FLAG_HOSTNAME works as
documented[1]; the fact that it's most useless, doesn't make it a
bug.

If you want the behavior to change, please pursue the RFC
process[2].

[1] <https://www.php.net/manual/en/filter.filters.validate.php>
[2] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 10:00:01 2025 UTC