Title: URL Validator
Last modified: August 22, 2016

---

# URL Validator

 *  Resolved [zimbo000](https://wordpress.org/support/users/zimbo000/)
 * (@zimbo000)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/url-validator/)
 * In testing out the Submit a Listing functionality it is possible to enter an 
   invalid web address such as [http://www.qwerty](http://www.qwerty)
 * This is because function url in form-fields.php does not specify FILTER_FLAG_HOST_REQUIRED
   on line 448 when FILTER_VALIDATE_URL is called.
 * So all the validator is doing is looking for http:// – which very few people 
   non-technical people would know to enter – and people can add a bad web address.
   I’ve added FILTER_FLAG_HOST_REQUIRED but would be interested to know why it’s
   not in the core code i.e. is there a reason it should not be used?
 * [https://wordpress.org/plugins/business-directory-plugin/](https://wordpress.org/plugins/business-directory-plugin/)

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Plugin Author [Business Directory Plugin](https://wordpress.org/support/users/businessdirectoryplugin/)
 * (@businessdirectoryplugin)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/url-validator/#post-5732384)
 * Hi zimbo000,
 * Looks like you found a bug here–our validation isn’t perfect for sure. We just
   check for http to be honest, whether the user inputs anything valid afterward
   is up to them.
 * I’ll submit this as a bug to fix for our next release. Thanks for letting us 
   know.
 *  Thread Starter [zimbo000](https://wordpress.org/support/users/zimbo000/)
 * (@zimbo000)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/url-validator/#post-5732403)
 * OK, glad to help. However, I thought I had it working by adding the PHP modifier
   I mentioned but it seems to have “stopped” in further testing so my suggestion
   may not be correct. I’m not a PHP guru by any means, more of a hacker amending
   plugins to satisfy clients… 🙂
 * I’m sure your developer will be able to sort this out. One additional point on
   the URL validation, given you’re going to have to fix it.
 * My client intends getting local businesses to submit their own listings to the
   directory once live, but they have commented that asking non-technical business
   owners to enter “[http://&#8221](http://&#8221); as part of the input to the 
   website field is something they probably don’t understand. Most folks just think
   of web addresses as “www.qwerty.com”, without the http part.
 * Obviously http is needed in the href when the website address is displayed in
   a listing, but I think a more user friendly input method might be to only ask
   for “www.qwerty.com” and add the http bit within your code/validation. That’s
   what I’ve seen in a few other plugins. Obviously you’d need to check that no-
   one _did_ enter http but that’s a quick verify & strip out if so entered. Just
   a thought.
 * Any ideas when the next release is due?
 *  Plugin Author [Business Directory Plugin](https://wordpress.org/support/users/businessdirectoryplugin/)
 * (@businessdirectoryplugin)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/url-validator/#post-5732417)
 * I spoke with my developer about this in more detail. Here’s what he said:
 * > It’s true our URL validation (or any URL validation for that matter) is not
   > perfect but it is not true that we only check for “http” when validating URLs.
   > That’s what the validation error message says most of the time but just so 
   > you don’t forget to enter the scheme. That doesn’t mean that’s the only thing
   > we look for when validating input.
   > We use PHP’s built-in filter_var() function for URL validation. According to
   > PHP’s documentation this function validates the URL in conformance with the
   > URI syntax spec from the official “RFC 2396 – Uniform Resource Identifiers (
   > URI): Generic Syntax” document. It doesn’t work for all cases but it’s probably
   > better than anything we can hand-roll.
   > The client suggests using FILTER_FLAG_HOST_REQUIRED but that’s not a valid 
   > flag on modern versions of PHP (5.5+). It might make a difference in older 
   > PHP setups but adding it to our code would be an error and only valid for a
   > short time longer (with only certain PHP setups). What that flag used to do
   > is now assumed to be the default behavior for filter_var when validating URLs.
   > While his example is not incorrect in terms of the URL being accessible ([http://www.qwerty](http://www.qwerty)
   > probably doesn’t exist but [http://www.qwerty.com](http://www.qwerty.com) does)
   > it’s not the entire story because [http://www.qwerty](http://www.qwerty) is
   > still a valid URL in the sense that the grammar of an URL is still properly
   > formed here. TLDs are constantly being added and it could also refer to a local
   > network hostname. Using this stricter validation will start to break some URLs,
   > depending on which ones the user enters.
   > With the exception of actually trying to contact or ping the URL when validating,
   > the best you can do is check if the syntax is correct. That’s what we do today.
 * So with that in mind, the URL validation probably won’t be changing after all.
   It may not protect against every invalid URLs, but adding the behavior to find
   only valid ones that resolve on the internet would be potentially expensive and
   flaky (what happens when a DNS node goes down and someone types Google.com in
   and it fails to validate? Do you want to prevent the user from submitting then?)
 * In this case, we’re going for the most common use case which is to validate the
   presence of a properly formed URL. It’s true they can flub that, but in reality,
   most users won’t (we haven’t seen in that in sites and I don’t get complaints
   about invalid user input on this field).
 * Since we’re relying on the behavior of filter_var, if they require [http://](https://wordpress.org/support/topic/url-validator/?output_format=md),
   we can’t prevent that per se but we can look to automatically add it if it’s 
   missing.
 *  Thread Starter [zimbo000](https://wordpress.org/support/users/zimbo000/)
 * (@zimbo000)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/url-validator/#post-5732441)
 * OK, understood, thanks for the detailed reply.
 *  Plugin Author [Business Directory Plugin](https://wordpress.org/support/users/businessdirectoryplugin/)
 * (@businessdirectoryplugin)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/url-validator/#post-5732454)
 * No problem. Please let me know if you have any other questions or issues!

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘URL Validator’ is closed to new replies.

 * ![](https://ps.w.org/business-directory-plugin/assets/icon-256x256.png?rev=2901888)
 * [Business Directory Plugin - Easy Listing Directories for WordPress](https://wordpress.org/plugins/business-directory-plugin/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/business-directory-plugin/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/business-directory-plugin/)
 * [Active Topics](https://wordpress.org/support/plugin/business-directory-plugin/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/business-directory-plugin/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/business-directory-plugin/reviews/)

 * 5 replies
 * 2 participants
 * Last reply from: [Business Directory Plugin](https://wordpress.org/support/users/businessdirectoryplugin/)
 * Last activity: [11 years, 4 months ago](https://wordpress.org/support/topic/url-validator/#post-5732454)
 * Status: resolved