2

I have an application that stores information about a person onto a database, but when I try to use the URL to GET a user based on their email address users with a + in their email cannot be found.

Example URL that returns person:

https://www.someURL.com/api/people/johnsmith@someemail.com

Example URL that does not return person (returns null):

https://www.someURL.com/api/people/jane+doe@someemail.com

Both emails are in the database as written in the URL so it does not appear to be a typo issue, and I am using postman to test the GET method. Why am I not able to find them, and how can I make it so that they can be found even with the + character?

Working postman request

NOT working postman request

When I search with id I am able to find the person so I know the person exists.

Verification that person exists

Drummerman921
  • 311
  • 3
  • 16
  • Do you have logic in your back end to prevent SQL injection? Is that logic stripping the '+' character? Have you verified that the desired record actually exists in the database? – Traveling Man May 29 '18 at 20:46
  • I have verified that the record exists as it should be. The problem I have found is not with the logic that we have created, but with grails itself. Grails replaces the `+` with a space when used in the URL. – Drummerman921 May 30 '18 at 17:38
  • 1
    `+ `https://www.ascii.cl/htmlcodes.htm rewrite the `+` to all to be `+` see if it works – V H May 31 '18 at 15:54

2 Answers2

1

My suggestion would be: change your server implementaion from GET to POST and provide an email as a String parameter within the body of request. It'll prevent this and any similar issue with escaping special characters in URI.

If it's not possible, try to frame email address with a single ' or double " quotes, depending on how your web server treats incoming request it may help as well.

Nice to know that "+" is not really a 'valid' character for a lot of email providers for a reason. For instance, Gmail will not let you to create an email address with anything but [A-z0-9] (alphanumeric) and dot (.) characters. I'm pretty sure they were tired of validating input emails with complex regular expression and just limited it to basic ones.

Mikhail Kholodkov
  • 23,642
  • 17
  • 61
  • 78
  • I believe grails converts the `+` in URL parameters to a space when pulling variables off the parameter map. – Trebla May 30 '18 at 14:05
  • You are right about that. When checking my request on the back-end I did notice the added space to the emails. – Drummerman921 May 30 '18 at 17:34
1

'+' is a reserved character in URIs, so in order to prevent it being interpreted as a space character you would need to percent-encode it. In your example, replace '+' with '%2B'.

https://www.someURL.com/api/people/jane%2Bdoe@someemail.com

There are other characters that are allowed in email addresses but are reserved characters in URIs, so it would be best to percent-encode the whole email address, just in case.

Ian Stride
  • 157
  • 9