is a query string with a / in it valid?

Question

Due to a miscommunication with an affiliate partner we're working with the URL they call on our server has been mixed up.

This is the URL they are supposed to call on our server :

 /AAAAAAAA/?b=CCCCCCC

unfotunately it was implemented in their system as this

 ?b=CCCCCCC/AAAAAAA

I can easily parse out the components, but I'm worried that a query string parameter with / in it is not actually a valid URL.

Is a / in a URL actually valid - or should I be concerned. Under what circumstances may an unencoded / cause problems in a query string.

i love how the / got parsed out of the URL for this question :-) — Simon_Weaver, Feb 03 '10 at 09:38

score 12 · Answer 1 · edited May 23 '17 at 11:46

According to RFC 3986: Uniform Resource Identifier (URI): Generic Syntax (from year 2005), yes, / is allowed in the query component. This is the BNF for the query string: (in Appendix A in RFC 3986)

query         = *( pchar / "/" / "?" )
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

The spec says:

The characters slash ("/") and question mark ("?") may represent data within the query component.
as query components are often used to carry identifying information in the form of "key=value" pairs and one frequently used value is a reference to another URI, it is sometimes better for usability to avoid percent-encoding those characters

Here is a related question: Query string: Can a query string contain a URL that also contains query strings?

This should be the correct answer, because RFC 3986 is the replacement for 2396. — Chris Garrett, Mar 22 '17 at 19:33

score 2 · Accepted Answer · answered Feb 03 '10 at 00:04

2

Although I've never had a problem, they're not technically allowed as per RFC 2396:

Within a query component, the characters ";", "/", "?", ":", "@", "&", "=", "+", ",", and "$" are reserved.

But as I said...I've never run into any issues. I think it's a problem with older browsers more than anything, but maybe someone can shed some more light on a problem this causes?

answered Feb 03 '10 at 00:04

Nick Craver

623,446
136
1,297
1,155

i kinda figured that technically it wasn't allowed (for obvious reasons) but I'd have thought it would pretty much be ok. with that said i'm wondering if some funky thins might occur with proxies, older browsers, security tools etc. – Simon_Weaver Feb 03 '10 at 00:24
@Simon - I have yet to find any ill-effects, but my uses of them are usually very specific, e.g. `Login?ru=Route/SubRoute/Category/45`. – Nick Craver Feb 03 '10 at 00:28
ok so hopefully we're fine for a week. thanks - and amazed someone that is actually using '/' managed to find my question so quickly! – Simon_Weaver Feb 03 '10 at 01:04
link provided is dead, – anvd Nov 26 '18 at 23:21

score 1 · Answer 3 · answered Feb 03 '10 at 00:07

1

Slash is a "reserved character" in the query part of a URL per RFC 2396 section 3.4, so according to section 2.2 it has to be encoded. That is, a query part can contain %2F but shouldn't contain /.

answered Feb 03 '10 at 00:07

hobbs

223,387
19
210
288

but in practice is anything actually going to break? i want to get the URL format fixed but that will take a week for their next build – Simon_Weaver Feb 03 '10 at 00:24
@Simon If anyone knows the answer to that question it's you. – hobbs Feb 03 '10 at 04:01
well it doesn't break for me in chrome or IE8, but maybe it does break for someone using Mosaic 1.0 ? i dunno ;-) – Simon_Weaver Feb 07 '10 at 20:25

is a query string with a / in it valid?

3 Answers3