I think I'm not the only one facing this question https://github.com/bcit-ci/CodeIgniter/issues/3118 .
The method valid_url() in Form_validation library allow users to bypass any string instead of check whether is a valid url or not. As the opposite of function's name say it doesn't work as expected if the intention is to validate an url.
I don't consider it's a bug but maybe a misbehaviour of this method.
Imagine that you have a form with an input field named txt_url for users to fill in with an URL value, if the user type any string like asdfasdf the method valid_url(), should IMHO, check whether the user input is a valid URL format or not. As what I expected. But what it actually does is to get any input string prepend a scheme and pass its value through filter_val() function which will always evaluate to true.
I tested it out using the following code.
Controller:
$this->form_validation->set_rules('txt_url', 'Url', 'trim|required|valid_url');
View:
<input type="text" name="txt_url" value="asdfasdf">
In my concept per RFC 2396 a valid URL should be:
<scheme name> : <hierarchical part> [ ? <query> ] [ # <fragment> ]
The method's behaviour that I expected is the same as valid_email() but acting with URL values instead.
I think this method should be refactored and return a bool whether a given string is a well-formed URL, it could use a different pattern to check a given str format or maybe just return the built-in function filter_var e.g:
public function valid_url($str)
{
return (filter_var($str, FILTER_VALIDATE_URL) !== FALSE);
}
Anyway I'm able to refactor if if it's necessary but I'd like to hear from you guys if my thoughts makes any sense.
# echo '127.0.0.1 asdfasdf' >> /etc/hosts # echo 'test' > /var/www/html/index.html # wget asdfasdf --2015-01-14 01:29:10-- http://asdfasdf/ Resolving asdfasdf (asdfasdf)... 127.0.0.1 Connecting to asdfasdf (asdfasdf)|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5 [text/html] Saving to: ‘index.html’ 100%[====================================================================================================================================================================================================>] 5 --.-K/s in 0s 2015-01-14 01:29:10 (523 KB/s) - ‘index.html’ saved [5/5] # cat index.html test
Is this issue really Fixed ?
I am still seeing this issue.. It is not validating the url, it gets passed if i give any thing (Eg: Rahul)
It't not "fixed", because it's not broken.
My previous comment was supposed to show that "asdfasdf" is a perfectly valid domain name and thus a valid URL too. I know it sounds strange and impractical, but it is what it is.
Hi @narfbg
Yes that's true
But don't you think we must have a new validator for URL format validation. Some thing more smart ?
@narfbg could you please explain to me how asdfasdf is a perfectly valid domain name ?
In your example you added asdfasdf to your hosts file but the address you queried was http://asdfasdf/ which would be a valid URL however asdfasdf alone is not a valid URL.
Any valid hostname is by itself a valid domain name.
Any valid domain name is by itself a valid URL.
I didn't query http://asdfasdf/, I queried asdfasdf.
wget converted asdfasdf to http://asdfasdf/ because of those 2 reasons.
Still, using wget was just an example. ping, host, nslookup, etc. - anything working with hostnames will accept that input.
If you disagree that this demonstrates how it is valid, then you must also disagree that google.com is a valid URL and you must argue that a protocol prefix should be required. If that is the case - we'll have to agree to disagree.
@fatjoe-jack at the first moment I disagreed with @narfbg about a valid hostname asdfasdf but I notice as per RFC 2396 this might be correct, for certain cases in your application the input URL as asdfasdf is totally invalid, in that case the solution I've found was to create a custom validation to handle it.
Btw, I'm not ruling out the possibility of another function/rule with more aggressive requirements. I'm just saying there's nothing wrong with valid_url as it is ...
The asdfasdf as an example may seem arbitrary, but it is technically valid and not everything is really accepted.
I don't know, maybe something like valid_human_url ¯_(ツ)_/¯
Most helpful comment
@narfbg could you please explain to me how
asdfasdfis a perfectly valid domain name ?In your example you added
asdfasdfto your hosts file but the address you queried washttp://asdfasdf/which would be a valid URL howeverasdfasdfalone is not a valid URL.