My URL path:
https://mypage/main.php?dir=farm/1234_animal_fred+sam_cats
I am requesting the data with the GET method:
$dir = $_GET['dir'];
echo $dir;
But my result is
farm/1234_animal_fred sam_cats
Asked
Active
Viewed 42 times
0
peace_love
- 6,229
- 11
- 69
- 157
-
4don't use `+` in your url but `%2B` instead; https://mypage/main.php?dir=farm/1234_animal_fred%2Bsam_cats – Unex Apr 13 '16 at 16:13
-
Ok, thank you very much! – peace_love Apr 13 '16 at 16:19
-
How is the `1234_animal_fred+sam_cats` part produced in the first place? – Mike Apr 13 '16 at 16:27
-
@Mike Well it is from a database of millions of file paths, so I do not have influence on the path name – peace_love Apr 13 '16 at 16:30
-
Please set the question as done, or delete it or close it. – Unex Apr 13 '16 at 16:36
-
@Unex But I am still in a discussion with some users. – peace_love Apr 13 '16 at 16:37
-
The reason I ask is that there might be some other characters in there that don't do what you think when passing them in a URL. Just encode the file path part of the URL using `urlencode`. Don't encode the whole URL as Wolf Vos's answer suggests because it won't work. – Mike Apr 13 '16 at 16:46
-
@Mike Yes, there might be more characters that will cause problems. I will give it a try – peace_love Apr 13 '16 at 16:49
3 Answers
2
Even though Unex's answer is right in this particular case, I am unsure if he would be missing other characters that may be in your DB that could cause something to fail, or worse yet, open you up to an XSS vulnerability. So instead of making it work in this one single case by doing:
$url = str_replace('+', '%2B', $url);
You want to instead make it work for all cases. So assuming you have the following from your database:
$file_path = 'farm/1234_animal_fred+sam_cats';
To make this work correctly as part of a URL you need to do urlencode(), however from this answer you will notice that it's not enough to protect you from XSS attacks. You therefore also need to use htmlspecialchars() on the string:
$url = 'https://mypage/main.php?dir=';
$file_path = 'farm/1234_animal_fred+sam_cats';
$url .= htmlspecialchars(urlencode($file_path));
echo $url; // https://mypage/main.php?dir=farm%2F1234_animal_fred%2Bsam_cats
And when going to this URL you can see that PHP gets the correct value:
print_r($_GET) output:
Array
(
[dir] => farm/1234_animal_fred+sam_cats
)
1
don't use + in your url but %2B instead;
This is the result :
https://mypage/main.php?dir=farm/1234_animal_fred%2Bsam_cats
hope this helped,
Unex
- 1,747
- 13
- 17
-2
You should always use rawurlencode($url) to encode your urls.
http://php.net/manual/en/function.rawurlencode.php
Credits go to commenters, sorry guys I was to quick to respond.
Wolf Vos
- 177
- 1
- 8
-
1No! You _can not_ encode a URL with that function! The function allows to encode strings such that they can be used _inside_ a URL. That is a _huge_ difference! – arkascha Apr 13 '16 at 16:19
-
2
-
@arkascha So it is just totally impossible to use `+` inside the URL? – peace_love Apr 13 '16 at 16:20
-
@Jarla Certainly a `+` can be used inside a URL, but it has a special meaning. Just as a `/` for example. If you want to place the _literal character `+`_ inside a URL, then you have to encode it. – arkascha Apr 13 '16 at 16:21
-
It is possible, use [rawurlencode](http://php.net/manual/en/function.rawurlencode.php), as suggested by @Mike in the main thread, and you'll be fine. – Eihwaz Apr 13 '16 at 16:21
-
@Eihwaz: If I understood you right I just write `echo rawurlencode($dir);` and the result will be `farm/1234_animal_fred+sam_cats` – peace_love Apr 13 '16 at 16:25
-
Hm, no understood it wrong, I get the result `farm%1234_animal_fred%sam_cats` – peace_love Apr 13 '16 at 16:28
-
@Jarla I guess you have to use rawurldecode($_GET['dir']) to restore the + sign in your code. – Wolf Vos Apr 13 '16 at 16:30
-