43

How can I pass one or more variables of type array to another page via $_GET?

I always passed variable values in the form ?a=1&b=2&c=3

What about passing a=[1,2,3] ?

Do I need to write a for loop and append all the values?

Thanks

Arnaud Le Blanc
  • 98,321
  • 23
  • 206
  • 194
Paranoid Android
  • 4,672
  • 11
  • 54
  • 73

4 Answers4

97

You can use the [] syntax to pass arrays through _GET:

?a[]=1&a[]=2&a[]=3

PHP understands this syntax, so $_GET['a'] will be equal to array(1, 2, 3).

You can also specify keys:

?a[42]=1&a[foo]=2&a[bar]=3

Multidimentional arrays work too:

?a[42][b][c]=1&a[foo]=2

http_build_query() does this automatically:

http_build_query(array('a' => array(1, 2, 3))) // "a[]=1&a[]=2&a[]=3"

http_build_query(array(
    'a' => array(
        'foo' => 'bar',
        'bar' => array(1, 2, 3),
     )
)); // "a[foo]=bar&a[bar][]=1&a[bar][]=2&a[bar][]=3"

An alternative would be to pass json encoded arrays:

?a=[1,2,3]

And you can parse a with json_decode:

$a = json_decode($_GET['a']); // array(1, 2, 3)

And encode it again with json_encode:

json_encode(array(1, 2, 3)); // "[1,2,3]"

Dont ever use serialize() for this purpose. Serialize allows to serialize objects, and there is ways to make them execute code. So you should never deserialize untrusted strings.

Arnaud Le Blanc
  • 98,321
  • 23
  • 206
  • 194
  • 1
    +1 for json. just make sure you urlencode your json array to counter xss – knittl Aug 26 '11 at 15:41
  • `urlencode()` is not a way to counter xss. `htmlspecialchars()` is. But anyone should already `htmlspecialchars()` everything he outputs. – Arnaud Le Blanc Aug 26 '11 at 15:44
  • @arnoud: using urlencode inside attributes is safe. And when passing an url, you want it encoded for urls, not for markup (think `href=""`) – knittl Aug 26 '11 at 15:46
  • `urlencode()` is not meant to escape html, it's goal is to escape url components ;) So you just escape parameter names and values with urlencode(), and you escape the whole url with htmlspecialchars() before embeding it in a HTML document. – Arnaud Le Blanc Aug 26 '11 at 15:53
  • and the json_encoded array is what? it's an url component! urlencode encodes at least `<`, `>`, `&`, `"`, `'` so you are on the safe side … – knittl Aug 26 '11 at 15:57
  • I didn't said to not use `urlencode()`; I said to not use it for html escaping purposes. Do not consider a url-encoded string as html-safe, they are not (e.g. it doesn't takes care of multibyte character sets). urlencode() is not a way to counter xss. – Arnaud Le Blanc Aug 26 '11 at 16:10
  • »Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits« shouldn't that take care of multibyte characters? they will simply be encoded as two entities. And I'm well aware that you should use `htmlspecialchars` for escaping HTML. My first comment probably wasn't very clear about that (should have read: to not produce invalid urls). Any way you should `urlencode` your array when appending it to an url, regardless of the discussion about XSS. – knittl Aug 26 '11 at 16:21
  • @arnaud576875 (knittl) -- you are both right since you are talking about 2 diff. things. You talk about output of GET passed data on actual page and you are dead-on; knittl is talking about encoding data passed via url - which should be done, but it does not prevent xss - it just prevents url from breaking; BTW: arnaud576875 - htmlspecialchars/htmlentities break http_build_query/json_encode treated data string, as &amp is prefixed (5.3 tested with no extra params) – Jeffz Oct 18 '12 at 14:55
  • The answer is not exactly true. In my case, if i put [] in my get request it would still recognise it as a single variable. I had to put the corresponding entities in the URL, which are %5B for [, and %5D for ]. Example: ?a%5B%5D=first&a%5B%5D=second – funforums Jun 10 '14 at 14:56
  • the first answer didn't work for me, but when I left the square brackets off it did. (Ex ?a=1&a=2&a=3) – mgrenier Dec 08 '14 at 20:12
  • @ArnaudLeBlanc Any way to parse Array type URL using `JavaScript`? – Yogen Darji Feb 04 '20 at 04:46
7

You can pass an associative array to http_build_query() and append the resulting string as the query string to the URL. The array will automatically be parsed by PHP so $_GET on the receiving page will contain an array.

Example

$query_str = http_build_query(array(
    'a' => array(1, 2, 3)
));
Stéphane Bruckert
  • 21,706
  • 14
  • 92
  • 130
Michael Mior
  • 28,107
  • 9
  • 89
  • 113
5
$city_names = array(
    'delhi',
    'mumbai',
    'kolkata',
    'chennai'
);
$city_query = http_build_query(array('city' => $city_names));

this will give you:

city[0]=delhi&city[1]=mumbai&city[2]=kolkata&city[3]=chennai

if you want to encode the brackets also then use the below code:

$city_query = urlencode(http_build_query(array('city' => $city_names)));

Output:

city%255B0%255D%3Ddelhi%26city%255B1%255D%3Dmumbai .....

Reference: http_build_query, urlencode

IRSHAD
  • 2,855
  • 30
  • 39
-4

Just repeat your $_GET variables like this: name=john&name=lea

This gives you an array.

I used to believe it would be overwritten!

Saty
  • 22,443
  • 7
  • 33
  • 51
user2253826
  • 1
  • 1
  • 5
    This is incorrect. Repeating the parameter *will* overwrite. You must include the brackets on each `name` part in order to get an array. At least, that's what happens on PHP 5.3+. – Chris Middleton Jan 09 '15 at 16:51