Percent sign (% or %25) is not working in path

Question

I'm trying to redirect users from:

http://example.com/search?poster=ABC123 to http://example.com/name/ABC123

In the $_GET['poster'] variable I also allow the user to enter a wildcard search (%). This is where the problem comes. When the user enters a % (converts to %25) as the first letter in the path, it gives me an error like this:

Forbidden
You don't have permission to access /name/%25test on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

However, using the wildcard anywhere else in the string works fine.

Here is my .htaccess file.

Options -MultiViews
RewriteEngine On
Options -Indexes

RewriteBase /search
RewriteCond %{REQUEST_FILENAME}  !-d
RewriteCond %{REQUEST_FILENAME}  !-f
RewriteCond %{REQUEST_FILENAME}  !-l
RewriteRule ^name/(.+)$ /?poster=$1 [QSA,L]
RewriteRule ^content/(.+)$ /?content=$1 [QSA,L]
RewriteRule ^title/(.+)$ /?title=$1 [QSA,L]

Examples (my real website):

http://archive.rookstat.net/name/%25he <--- Error
http://archive.rookstat.net/name/he%25 <--- Works
http://archive.rookstat.net/name/hello <--- Works

How can I resolve this? I've tried many different combinations in the RewriteRule but I must be doing something wrong. Are the flags incorrect? Not always is the user entering a wildcard. So I do not want to use a rule that specifically looks for a "%" or "%25", but in case the user does enter that, it should not think it's a folder or file... or whatever.

I also get the same error with the /search/ path:

http://archive.rookstat.net/search/?poster=%he

It seems as if it thinks it's a file path, and not a url...

Jamie_D · Accepted Answer · 2018-08-23T08:32:04.007

1

The percent(%) symbol is reserved for url encoded characters. I would recommend base64 encoding the entered search term and then decoding in your search function

$query = base64_encode($wildcard_query);

$search_term = base64_decode($_GET['poster']);

edited Aug 23 '18 at 08:32

answered Aug 22 '18 at 22:42

Jamie_D

979
6
13

if your are using mySQL queries , be careful not to enter user defined queries directly into your database since you could open yourself up to SQL injection attacks. SEE: [link] https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Jamie_D Aug 23 '18 at 08:38
yes, i am using pdo with prepared statements to get the data out – Lee Cheung Aug 23 '18 at 16:56

score 0 · Answer 2 · answered Aug 22 '18 at 22:37

0

Please try the B flag to re-encode the backreferences

https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_b

(the example on the documentation matches exactly your use-case and I could not explain it better).

answered Aug 22 '18 at 22:37

hakre

193,403
52
435
836

I tried that but it is still not working. I tried with just [B] and with the others as well. – Lee Cheung Aug 22 '18 at 22:52

Percent sign (% or %25) is not working in path

2 Answers2