php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65141 filter_var() validates URL with two http:// as valid
Submitted: 2013-06-27 03:39 UTC Modified: 2013-07-02 08:21 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: demtheman at yahoo dot com Assigned:
Status: Not a bug Package: URL related
PHP Version: 5.3.26 OS: Windows 7 64-bit
Private report: No CVE-ID: None
View Developer Edit
 [2013-06-27 03:39 UTC] demtheman at yahoo dot com 
Description:
------------
I used filter_var() to validate the URL http://http://www.google.com (as test 
URL), however it seems to see it as valid which in fact is wrong. Refer to my SO 
question http://stackoverflow.com/questions/17333612/filter-var-accepts-invalid-
url

Test script:
---------------
$website = "http://http://www.google.com";

echo filter_var($website, FILTER_VALIDATE_URL);

Expected result:
----------------
The filter_var() should return FALSE.

Actual result:
--------------
The filter_var() returns the filtered data.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-27 20:56 UTC] cmbecker69 at gmx dot de 
According to RFC 2396 Appendix A the example URI doesn't seem to be valid, 
even if it passes the regular expression given in Appendix B.

However, filter_var($var, FILTER_VALIDATE_URL) is based on parse_url().
parse_url('http://http://example.com') evaluates to:
Array
(
    [scheme] => http
    [host] => http
    [path] => //example.com
)
This is apparently wrong in this case according to RFC 2396; neither an abs_path 
nor a rel_path must start with a double slash.
 [2013-06-28 21:02 UTC] cmbecker69 at gmx dot de 
As Thomas Lahn pointed out in comp.lang.php
(<7348494.GbytuHRu9D@PointedEars.de>)
the mentioned URI (there was used a slightly different URI, 
but that doesn't matter in this case, as the productions can be adapted)
is actually valid according to RFC 2396.
 [2013-07-02 08:21 UTC] ab@php.net
-Status: Open +Status: Not a bug
 [2013-07-02 08:21 UTC] ab@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Here's the RFC http://www.ietf.org/rfc/rfc2396.txt

Quick BNF evaluation

absoluteURI
	scheme http
	:
	hier_part
		net_path
			//
			authority
				server
					hostport http:

			abs_path
				/
				segment
				segment /www.google.com

That's pretty matchin with the RFC.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Apr 18 13:01:26 2025 UTC