How to get a hostname from a URL in PHP

Getting the hostname from a URL in PHP is useful when application code needs to compare callback targets, group outbound requests by domain, or hand the network destination to later DNS and policy checks without the username, port, path, query string, or fragment.

In PHP, parse_url() splits a URL into components and PHP_URL_HOST returns only the host portion from the URL authority. That keeps the extraction step centered on the network endpoint instead of manually trimming the original string or indexing the full parsed array when only the host matters.

Host extraction still depends on the input shape. Absolute URLs such as https://billing-api.example.net/v1/callback and network-path references such as //edge-api.example.net/v1/callback expose a host, while portal.example.net/callback is parsed as a path instead. parse_url() does not validate URLs, FILTER_VALIDATE_URL only accepts ASCII URLs and can still accept hostless schemes such as mailto:, and Unicode hostnames should be normalized with idn_to_ascii() when downstream DNS, certificate, or allowlist checks expect IDNA ASCII.

1. Store the URL in a variable and prefer an absolute URL or network-path reference when a host must be present.

   $url = 'https://svc-user:token@Api-Edge01.Example.net:8443/app?from=portal';

   A leading // also exposes a host component, but portal.example.net/callback is parsed as a path and returns no hostname.

2. Call parse_url() with PHP_URL_HOST and fail fast when the URL is malformed or has no host component.

   $hostname = parse_url($url, PHP_URL_HOST);
    
   if ($hostname === false || $hostname === null) {
       throw new InvalidArgumentException('Hostname could not be determined from the URL.');
   }
    
   echo $hostname, PHP_EOL;

   Api-Edge01.Example.net

   The returned host excludes the username, password, port, path, query string, and fragment. null usually means the parsed value had no host component, while false indicates a malformed URL such as http://.

3. Lowercase the extracted hostname before case-insensitive comparisons or allowlist checks.

   $hostname = parse_url($url, PHP_URL_HOST);
    
   if ($hostname === false || $hostname === null) {
       throw new InvalidArgumentException('Hostname could not be determined from the URL.');
   }
    
   $hostname = strtolower($hostname);
    
   echo $hostname, PHP_EOL;

   api-edge01.example.net

   parse_url() preserves the host text it parsed. Lowercasing keeps hostname comparisons and storage consistent when ASCII output is expected.

4. Convert Unicode hostnames to IDNA ASCII when DNS lookups, certificates, or stored allowlists expect the punycode form.

   $url = 'https://büro.example/path';
    
   $hostname = parse_url($url, PHP_URL_HOST);
    
   if ($hostname === false || $hostname === null) {
       throw new InvalidArgumentException('Hostname could not be determined from the URL.');
   }
    
   if (!function_exists('idn_to_ascii')) {
       throw new RuntimeException('The intl extension is required for IDNA hostname normalization.');
   }
    
   $asciiHostname = idn_to_ascii($hostname);
    
   if ($asciiHostname === false) {
       throw new RuntimeException('The hostname could not be converted to IDNA ASCII.');
   }
    
   echo $asciiHostname, PHP_EOL;

   xn--bro-hoa.example

   idn_to_ascii() requires the intl extension and lowercases the converted result. Keep the Unicode form only for display when that is the preferred presentation.

5. Validate untrusted input as an absolute URL and enforce the allowed schemes and host presence explicitly.

   $url = $_POST['target_url'] ?? '';
    
   if (filter_var($url, FILTER_VALIDATE_URL) === false) {
       throw new InvalidArgumentException('A valid absolute URL is required.');
   }
    
   $parts = parse_url($url);
    
   if ($parts === false || !isset($parts['scheme'], $parts['host'])) {
       throw new InvalidArgumentException('The URL does not contain a network hostname.');
   }
    
   if (!in_array(strtolower($parts['scheme']), ['http', 'https'], true)) {
       throw new InvalidArgumentException('Only HTTP and HTTPS URLs are allowed.');
   }
    
   echo strtolower($parts['host']), PHP_EOL;

   api-edge01.example.net

   FILTER_VALIDATE_URL accepts hostless schemes such as mailto:alerts@example.net and rejects Internationalized Domain Names written in Unicode. Keep explicit scheme checks, require a host separately, and normalize Unicode hostnames before downstream comparisons when they must be accepted.

6. Run a one-liner with a full URL and confirm that only the normalized hostname is returned.

   $ php -r '$u = "https://svc-user:token@Api-Edge01.Example.net:8443/app"; $h = parse_url($u, PHP_URL_HOST); if ($h === false || $h === null) { fwrite(STDERR, "Hostname could not be determined\n"); exit(1); } echo strtolower($h), PHP_EOL;'
   api-edge01.example.net

   The one-liner works as a quick verification pattern for test fixtures, shell debugging, or small CLI helpers that only need the hostname.