PHP function for validating CIDR notation format (ipv4, ipv6)

validate_cidr.php

<?php 

/**
 * Validates the format of a CIDR notation string
 *
 * @param string $cidr
 * @return bool
 */
function validateCidr($cidr)
{
    $parts = explode('/', $cidr);
    if(count($parts) != 2) {
        return false;
    }

    $ip = $parts[0];
    $netmask = $parts[1];

    if (!preg_match("/^\d+$/", $netmask)){
        return false;
    }

    $netmask = intval($parts[1]);

    if($netmask < 0) {
        return false;
    }

    if(filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
        return $netmask <= 32;
    }

    if(filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
        return $netmask <= 128;
    }

    return false;
}

?>

Good gist, but why the double checking?

  $netmask = $parts[1];
  if (!preg_match("/^\d+$/", $netmask)){
    return false;
  }
  $netmask = intval($parts[1]);
  if ($netmask < 0) {
    return false;
  }

preg_match() will return false if there's anything but digits in $netmask, no? So how are you going to end up with a negative number? Also, would it not be a good idea to include a minimum/maximum length in the regexp for preg_match() 🤔

Just my two cents, as I'm unsure of the intent. I don't know if intval() is an actual function or a language construct, but casting using (int) may be faster.

Also, I think the preg_match regex could be changed to '/^\d{1,3}$/' for further validation.

@joho1968 The integer conversion does appear to be redundant, I believe the check for less than zero was to prevent negative integers from being passed through. Regex can't be good for speed, perhaps you could use some built-ins to check if the netmask is a positive integer?