is this regular expression bulletproof?

sfullman

want to identify an absolute URL in a passed string, which may be url encoded. Here it is:

'/http(s)*(:|%3A)(\/|%2F){2}([-.%a-z0-9]+)(\/|%2F)/i'

note the %3A for : and %2F for / since the ENTIRE string might be URL encoded. Am I missing anything? I'm not worried about ftp: or other protocols nor username:password@.. prefixes

nrg_alpha

" is this regular expression bulletproof?"

In a nutshell, no.

By example, when looking at this part: http(s)*, the star means zero or more times. So your pattern can in theory match something like httpsssssssssssssssss

Also note that there is no need to use a capture on the s. You could simply use https?, as the ? makes the s optional (zero or one time).

Also note that ([-.%a-z0-9]+) could match stuff like -----....-.-.%%-a-z8097987--.
So again, not quite bulletproof at all.

I would perhaps google some examples on PCRE url regex and see what's out there. Be warned, there are some pretty bad examples as well as good ones I'm sure. Truth be told, it would be pretty damn tricky to do a super thorough pattern that is 'bulletproof', if one even exists at all. There are so many variations and ways of doing this, it's really hard to say for sure what would be the best solution.