Validate that a given URL path is valid

Question

How can I consider the following string as an invalid URL path because it actually contains a hostname and not represents a valid path:

/<>//google.com

By using the following regex validation code:

preg_match(""/(?:[\w-]+\.)+[\w-]+/"", $url, $matches);

I currently receive true for both: /<>//google.com and /3.2/

while "/3.2/" is a legit URL path and not a domain name

@DanielA.White are you familiar with a good library API to validate it? — Yair Nevet, Mar 23 '20 at 15:46
To be fair, `google.com` *could* be part of a valid path, technically... there's nothing to stop you from having something like `www.mysite.com/sitemap/for/google.com` if you wanted. — CD001, Mar 23 '20 at 15:47
let's take the following scenario: www.domain.com/google.com - How can I determine that google.com is not a "valid" path — Yair Nevet, Mar 23 '20 at 15:49
The problem is that `www.domain.com/google.com` *could* be a valid URL (technically), so you'd need to cobble together something that parses the path component and rejects specific things; what *is* is about the string `google.com` that would make a path invalid but **not** `google.html` (for instance) or `google.womble` ? Technically they'd all be fine. — CD001, Mar 23 '20 at 15:53
you should use [parse_url](https://www.php.net/manual/en/function.parse-url.php) — drussey, Mar 23 '20 at 16:00
@drussey `parse_url` returns path part only: `/<>//google.com` which is not ok — Yair Nevet, Mar 23 '20 at 16:08
@CD001 Wouldn't it make sense to count how many consequences forward-slashes there are? `/<>//google.com` contains more than 2 consequences forward-slashes — Yair Nevet, Mar 23 '20 at 16:48

score 0 · Answer 1 · answered Mar 23 '20 at 18:22

Perhaps you can use FILTER_VALIDATE_URL and pass the FILTER_FLAG_PATH_REQUIRED flag as well.

filter_var('http://host.com/path', FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED);

https://www.php.net/manual/en/filter.filters.validate.php

https://www.php.net/manual/en/intro.filter.php

Kenan Güler · Answer 2 · 2021-10-09T13:25:39.593

Based on the answers here and here, I came up with something like this:

function is_valid_url_path($url_path) {
  return preg_match("#^\/*[a-z0-9+&@=~_|!:,.;-]*\/*(%[0-9]([a-f]|[0-9]]))*/*$#i", $url_path);
}

print is_valid_url_path('/3.2/'); // 1
print is_valid_url_path('//3.2/'); // 1
print is_valid_url_path('/3.2///%3F'); // 1
print is_valid_url_path('/3.2///%3'); // 0
print is_valid_url_path("/<>//google.com"); // 0

Things I've considered within the regex:

Allowed chars: a-z A-Z 0-9 . - _ ~ ! $ & ' ( ) * + , ; = : @
Percent-encoding: DIGIT + (DIGIT | (A|B|C|D|E|F)) (e.g %23, %3B)
A path contain multiple empty segments, e.g. ///hello//world
A path is terminated either with a ?, # or simply by the end of the URI

Also see RFC 3986, Sec. 3.3. Path.

Validate that a given URL path is valid

2 Answers2