Consider the use of rawurldecode() on $_GET and $_REQUEST instead of urldecode()

14 years ago by tigger.on@gmail.com — view source — reply

unread

Current the following string (inside the quotes) "give me a + plz"
should be encoded correctly to "give%20me%20a%20+%20plz" when passed
as a query string.

Now when the query string is presented with $_GET['x'], the result is
"give me a plz". Clearly wrong.

This leads to people (I'm sure I'm not the only one) using crazy hacks
to get something as simple as a query string var.

rawurlencode('give me a + plz') will produce "give%20me%20a%20%2B%20plz"
which is not "give%20me%20a%20+%20plz", but does not 'drop' the "+" when
someone types in the query string.

The following code can be used to show the error (lines may wrap):

<?php

$str = 'give me a + plz';

echo '

<a href="'.$_SERVER['SCRIPT_NAME'].'?qs='.$str.'">As typed by someone</a> 
<a href="'.$_SERVER['SCRIPT_NAME'].'?qs='.urlencode($str).'">With
urlencode()</a> 
<a href="'.$_SERVER['SCRIPT_NAME'].'?qs='.rawurlencode($str).'">With
rawurlencode()</a> 
';

if ($_GET['qs']) {
    echo '<p>Results:<br />

'.$_SERVER['QUERY_STRING'].' < $_SERVER[QUERY_STRING] 
'.$_GET['qs'].' < $_GET[qs] 
'.urldecode($_SERVER['QUERY_STRING']).' <
urldecode($_SERVER[QUERY_STRING]) 
'.rawurldecode($_SERVER['QUERY_STRING']).' <
rawurldecode($_SERVER[QUERY_STRING])

'; // code to break up the query string because _GET[] is not // correct - NOT 100% reliable as well!! $tmp = explode('&',$_SERVER['QUERY_STRING']); foreach($tmp as $q) { $qs = explode('=',$q); for($i = 0; $i < count($qs) ; $i++) { $real_GET[$qs[$i]] = rawurldecode($qs[++$i]); } } // foreach

    echo '<p>

What was really passed?? Impossible to tell for sure but less likely to
be what _GET has: '.$real_GET['qs'].'

';

} // _GET[qs]