I've working on a project and in this project i need to check the user input is a valid URL.
I've made a preg_match for all possible characters used on a URL. However, I'm trying to make it show an error if HTTP:// / HTTPS:// is not in front of the URL.
Here is what I've done.
if(preg_match('/[^0-9a-zA-Z.\-\/:?&=#%_]/', $url) || substr($url, 0, 7) != "http://" || substr($url, 0, 8) != "https://") {
But that doesn't work. It keeps giving me the an OK message. I'm not sure what I'm doing wrong here, I hope I can get some help!
The if statement will return true or false. So
if(preg_match('/[^0-9a-zA-Z.\-\/:?&=#%_]/', $url) || substr($url, 0, 7) != "http://" || substr($url, 0, 8) != "https://") {
echo "true";
} else {
echo "false";
}
I just need to check if the url has entered a valid url. I don't need to verify it. Just need to check if it has HTTP:// or HTTPS:// and contains valid URL characters.
Instead of a regex, you could make things easy on yourself and use the URL filtering in filter_var:
if (filter_var($url, FILTER_VALIDATE_URL)) { ...
Alternately you can do this without regex. Though you do also need to validate the url imagine http://">bla</a><script>alert('XSS');</script> as the value passed as there url
<?php
$url = 'http://example.com';
if(in_array(parse_url($url, PHP_URL_SCHEME),array('http','https'))){
if (filter_var($url, FILTER_VALIDATE_URL) !== false) {
//valid url
}else{
//not valid url
}
}else{
//no http or https
}
?>
parse_url()
filter_var()
You've not shown your complete relevant code. So, not sure, why it is not working for you but for url validation, you can check for a detailed discussion on the thread link below:
PHP validation/regex for URL
To validate user input with website url it is good to allow with or without scheme and with or without www, then in view add scheme to set as external url.
$withWww = 'www.' . str_replace(array('www.'), '', $value);
$withScheme = 'http://' . str_replace(array('http://', 'htttps://'), '', $withWww);
$headers = #get_headers($withScheme);
if (strpos($headers[0], '200') === false) {
return false;
}
Related
I try to do some basic validation. I want to make submitting links impossible.
I wrote some code that works semi fine.
It doesn't work if http:// or https:// at the begining of the input
if(((stripos($message, "http://")) || (stripos($message, "https://"))) !== false)
{
echo"Link is Here";
}
else
{
echo"Link is NOT Here";
}
Is there are way to fix this problem. I use function stripos because I have to make sure http:// and https:// is case insensitive so I'm ok with all kind of trays like for example HTTP:// or hTTps://
This has to do with your if statement. Change it to this:
if(stripos($message, "http://") !== false || stripos($message, "https://") !== false)
{
echo "Link is here";
}
else
{
echo "Link is NOT here";
}
I have a form to accept URL inputs.
I want the URL in following format whatever format the input may be in.
https://www.example.com
So if anyone enters below links I want to convert them to above format
example.com
http://example.com
https://example.com
http://www.example.com
If they input in correct format no need to change the URL.
Below is what I tried but could not succeed.
//append https:// and www to URL if not present
if (!preg_match("~^(?:f|ht)tps?://~i", $url0) OR strpos($url0, "www") == false) {
if ((strpos($url0, "http://") == false) OR (strpos($url0, "https://") == false) AND strpos($url0, "www") == false ){
$url0 = "https://www." . $url0;
}
else if (strpos($url0, "www") != false ){
}
else {
$url0 = "https://" . $url0;
}
}
You can try a regex like this
$str = preg_replace('~^(?:\w+://)?(?:www\.)?~', "https://www.", $str);
It will replace any protocol and/or www. with https://www. or add if none is present.
^ matches start of the string, (?: starts a non capture group.
(?:\w+://)? optional protocol (\w+ matches one or more word characters [A-Za-z0-9_])
(?:www\.)? optional literal www.
See demo and more explanation at regex101
You can use the parse_url function to check out the formatting of the URL:
<?php
$url = parse_url($url0);
// When https is not set, enforce it
if (!array_key_exists('scheme', $url) || $url['scheme'] !== 'https') {
$scheme = 'https';
} else {
$scheme = $url['scheme'];
}
// When www. prefix is not set, enforce it
if (substr($url['host'], 0, 4) !== 'www.') {
$host = 'www.' . $url['host'];
} else {
$host = $url['host'];
}
// Then set/echo this in your desired format
echo sprintf('%s://%s', $scheme, $host);
This should save you (and anyone having to work on this script in the future) some regex headaches and also keeps the code more readable.
I wonder what would be the best way in php to check if provided url is valid... At first I tried with:
filter_var($url, FILTER_VALIDATE_URL) === false
But it does not accept www.example.com (without protocol). So I tried with a simple modification:
protected function checkReferrerUrl($url) {
if(strpos($url, '://') == false) {
$url = "http://".$url;
}
if(filter_var($url, FILTER_VALIDATE_URL) === false) {
return false;
}
return true;
}
Now it works fine with www.example.com but also accepts simple foo as it converts to http://foo. However though this is not a valid public url I think... so what would you suggest? Go back to traditional regexp?
I recommend, that you do not use filter_var with type URL.
There are much more side-effects.
For example, these are valid URLs according to filter_var:
http://example.com/"><script>alert(document.cookie)</script>
http://example.ee/sdsf"f
Additionally FILTER_VALIDATE_URL does not support internationalized domain names (IDN).
I recommend using a regex combined with some ifs afterwards (f.e. for the domain) for security reasons.
Without the security aspect I am using parse_url to take my parts. But this function has a similar issue, when the scheme (no http/https) is missing.
Use this
<?php
$url = 'www.example.com';
if(validateURL($url)){
echo "Valid";
}else{
echo "invalid";
}
function validateURL($URL) {
$pattern_1 = "/^(http|https|ftp):\/\/(([A-Z0-9][A-Z0-9_-]*)(\.[A-Z0-9][A-Z0-9_-]*)+.(com|org|net|dk|at|us|tv|info|uk|co.uk|biz|se)$)(:(\d+))?\/?/i";
$pattern_2 = "/^(www)((\.[A-Z0-9][A-Z0-9_-]*)+.(com|org|net|dk|at|us|tv|info|uk|co.uk|biz|se)$)(:(\d+))?\/?/i";
if(preg_match($pattern_1, $URL) || preg_match($pattern_2, $URL)){
return true;
} else{
return false;
}
}
?>
Try this one too
<?php
// Assign URL to $URL variable
$url = 'http://example.com';
// Check url using preg_match
if (preg_match("/^(https?:\/\/+[\w\-]+\.[\w\-]+)/i",$url)){
echo "Valid";
}else{
echo "invalid";
}
?>
I want to everyone can enter a url or domain to database but i want to filter that domain or url with path that real can't come to hack myself so is my code correct?
<?php
$url = $_GET['url'];
if (!filter_var($url, FILTER_VALIDATE_URL)) {
echo '*error*';
exit;
}
?>
This is I want [Y]: http://google.com
This is I want [Y]: http://google.com/index.php
This is I want [Y]: https://google.com
This is I want [Y]: https://google.com/index.php
This is I don't want [N]: google.com
This is I don't want [N]: google.com/index.php
Thank everyone.
It will work but it is not a good idea:
http://www.d-mueller.de/blog/why-url-validation-with-filter_var-might-not-be-a-good-idea/
Summary:
There are security issues with this function like XSS (Cross Site Scripting) Attacks which could harm people who visit your site (including yourself). It accepts urls like script alert(123);
Here is a workaround from the website, not perfekt but better then plain filter_var:
function validate_url($url)
{
$url = trim($url);
return ((strpos($url, "http://") === 0 || strpos($url, "https://") === 0) &&
filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED) !== false);
}
So here is what I need to do.
If an user enters this: http://site.com I need to remove http:// so the string will be site.com , if an user enters http://www.site.com I need to remove http://www. or if the user enters www.site.com I need to remove www. or he can also enter site.com it will be good as well.
I have a function here, but doesn't work how I want to, and I suck at regex.
preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i', $_POST['link'])
Use filter_var() instead.
if (filter_var($_POST['link'], FILTER_VALIDATE_URL)) {
// valid URL
} else {
// not valid
}
There is also parse_url function.
I don't think I'd use regex for this, since you're only really checking for what is at the beginning of the string. So:
$link = $_POST['link'];
if (stripos($link, 'http://') === 0)
{
$link = substr($link, 7);
}
elseif (stripos($link, 'https://') === 0)
{
$link = substr($link, 8);
}
if (stripos($link, 'www.') === 0)
{
$link = substr($link, 4);
}
should take care of it.
i always go with str_replace haha
str_replace('http://','',str_replace('www.','',$url))
I think what you're looking for is a multi-stage preg_replace():
$tmp = strtolower($_POST['link']) ;
$tmp = preg_replace('/^http(s)?/', '', $tmp);
$domain = preg_replace('/^www./', '', $tmp) ;
This simplifies the required regex quite a bit too.