php preg_match, not working for validating URL's

Question

Ihave a PHP preg_match regex which is :

#^(http:\/\/|https:\/\/|www\.|//)*(([A-Z0-9][A-Z0-9_-]*)(\.[A-Z0-9][A-Z0-9_-]*)+)(:(\d{1,5}))?([A-Z0-9_-]|\.|\/|\?|\#|=|&|%)*$#i

The problem is when I try to match any URL ending with .com&& , it returns true, but as expected it should return false, what could be possibly wrong with it?

I am using it as:

    function isValidURL($url) {
        if (preg_match("#^(http:\/\/|https:\/\/|www\.|//)*(([A-Z0-9][A-Z0-9_-]*)(\.[A-Z0-9][A-Z0-9_-]*)+)(:(\d{1,5}))?([A-Z0-9_-]|\.|\/|\?|\#|=|&|%)*$#i", $url)) {
            return true;
        }else{
            return false;
        }
    }

and accessing it as:

$URL = $_GET['url'];
echo var_dump(isValidURL($URL));

Now if I open the page as /url.php?url=http://www.google.com it returns true, if I open page as /url.php?url=http://www.google.com** it returns false. If I open the page as /url.php?url=http://www.google.com&& it returns true but it should return false as .com&& is not a valid TLD.

Answer 1

Your bit here at the end...

([A-Z0-9_-]|\.|\/|\?|\#|=|&|%)*

is what's matching the ampersands. What you probably want to do is require a prefixed question mark if there's a query string:

(\?([A-Z0-9_-]|\.|\/|\?|\#|=|&|%)*)?

However, there's a better way to do this in PHP 5.2+:

var_dump(filter_var('http://example.com', FILTER_VALIDATE_URL));

http://www.php.net/manual/en/filter.filters.validate.php