PHP - avoid replacing '+' with space

Question

I'm working on an Android app which sends some hashes to the server. Of course, the hashes often contain special characters like + = /. I found out that my PHP script is automatically changing the + symbol with a blank space, which somehow breaches in my own security mechanism.

I could've simply replaced the blank space with the + sign using the str_replace() function, but I'm worried if there can be more circumstances like this where PHP changes some special characters with some other characters. Also, It's not the ethical way.

1) Is it only about the + symbol or there can be other occurrences too?

2) What is the correct way to get the raw (unformatted) string?

I think the best way would be to have your Android app correctly URL-encode (`+` would be `%2B`) the data it sends as query parameters, then PHP has to do nothing. — Tobias K., Jul 14 '18 at 08:41

score 1 · Answer 1 · answered Jul 14 '18 at 09:07

1

As mentioned in my comment this is an encoding issue and should be fixed in the Request (Android app) rather than the server. Check this answer for a Java example.

To your specific questions:

There are a number of "control characters" that NEED to be encoded because they have a special meaning: + ? &
I don't think it's possible to get the original string in PHP, as PHP likely never sees it. The webserver will likely URL-decode the params before passing it to PHP, as defined in URL/HTTP.

answered Jul 14 '18 at 09:07

Tobias K.

2,997
2
12
29

`str_replace()` is the naive server-side "solution" to your problem, however you figured out yourself that it's not ethical and error-prone. You just fix symptoms, not the problem. – Tobias K. Jul 14 '18 at 09:11

PHP - avoid replacing '+' with space

1 Answers1