skip to Main Content

I am sending an HTTP GET request with urlencoded value from a client application and on the server side I am using $_GET["Value"] to grab the value.

this is what the request looks like on the client side https://example.com/validate.php?Value=+MqZjrRvtvFdcC3GCRRnnQ== but on the server side the result of $_GET["Value"] is MqZjrRvtvFdcC3GCRRnnQ== without + in the beginning of MqZjrRvtvFdcC3GCRRnnQ== How can I grab the value as it is including all the special characters(if any)

I tried htmlspecialchars($_GET["Value"]) but this didnt work either.

2

Answers


  1. The + is a special char which will be escaped by parse_str().
    You need to parse the query string by yourself.

    Note: If there are multiple values you need to split by & first.

    Calling

    http://localhost:4000/?Value=+MqZjrRvtvFdcC3GCRRnnQ==

    [$key, $value] = explode('=', $_SERVER['QUERY_STRING']);
    

    will give a $value of

    +MqZjrRvtvFdcC3GCRRnnQ==
    
    Login or Signup to reply.
  2. You can’t inject any random character in a URL, you need to use proper escaping functions. In PHP you have rawurlencode():

    $encoded = 'https://example.com/validate.php?Value=' . rawurlencode('+MqZjrRvtvFdcC3GCRRnnQ==');
    

    https://example.com/validate.php?Value=%2BMqZjrRvtvFdcC3GCRRnnQ%3D%3D

    (Demo)

    In particular, + is some old encoding for whitespace character (U+0020) and = is often used to separate argument name from argument value.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search