|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65141 filter_var() validates URL with two http:// as valid
Submitted: 2013-06-27 03:39 UTC Modified: 2013-07-02 08:21 UTC
Avg. Score:3.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: demtheman at yahoo dot com Assigned:
Status: Not a bug Package: URL related
PHP Version: 5.3.26 OS: Windows 7 64-bit
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: demtheman at yahoo dot com
New email:
PHP Version: OS:


 [2013-06-27 03:39 UTC] demtheman at yahoo dot com
I used filter_var() to validate the URL http:// (as test 
URL), however it seems to see it as valid which in fact is wrong. Refer to my SO 

Test script:
$website = "http://";

echo filter_var($website, FILTER_VALIDATE_URL);

Expected result:
The filter_var() should return FALSE.

Actual result:
The filter_var() returns the filtered data.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-27 20:56 UTC] cmbecker69 at gmx dot de
According to RFC 2396 Appendix A the example URI doesn't seem to be valid, 
even if it passes the regular expression given in Appendix B.

However, filter_var($var, FILTER_VALIDATE_URL) is based on parse_url().
parse_url('http://') evaluates to:
    [scheme] => http
    [host] => http
    [path] => //
This is apparently wrong in this case according to RFC 2396; neither an abs_path 
nor a rel_path must start with a double slash.
 [2013-06-28 21:02 UTC] cmbecker69 at gmx dot de
As Thomas Lahn pointed out in comp.lang.php
the mentioned URI (there was used a slightly different URI, 
but that doesn't matter in this case, as the productions can be adapted)
is actually valid according to RFC 2396.
 [2013-07-02 08:21 UTC]
-Status: Open +Status: Not a bug
 [2013-07-02 08:21 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

Here's the RFC

Quick BNF evaluation

	scheme http
					hostport http:

				segment /

That's pretty matchin with the RFC.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Jun 22 12:01:30 2024 UTC