PHP $_GET is removing special characters from the value

M_Arad
December 11, 2022
186 views
0 votes
2 Answers

I am sending an HTTP GET request with urlencoded value from a client application and on the server side I am using $_GET["Value"] to grab the value.

this is what the request looks like on the client side https://example.com/validate.php?Value=+MqZjrRvtvFdcC3GCRRnnQ== but on the server side the result of $_GET["Value"] is MqZjrRvtvFdcC3GCRRnnQ== without + in the beginning of MqZjrRvtvFdcC3GCRRnnQ== How can I grab the value as it is including all the special characters(if any)

I tried htmlspecialchars($_GET["Value"]) but this didnt work either.

Tags: get php

Answers

- MarkusZeller
- December 11, 2022 at 2:19 pm
- 0 votes
0
The + is a special char which will be escaped by parse_str().
You need to parse the query string by yourself.

Note: If there are multiple values you need to split by & first.

Calling

http://localhost:4000/?Value=+MqZjrRvtvFdcC3GCRRnnQ==
```
[$key, $value] = explode('=', $_SERVER['QUERY_STRING']);
```
will give a $value of
```
+MqZjrRvtvFdcC3GCRRnnQ==
```
Login or Signup to reply.

- 193lvaroGonz225lez
- December 11, 2022 at 2:29 pm
- 0 votes
0
You can’t inject any random character in a URL, you need to use proper escaping functions. In PHP you have rawurlencode():
```
$encoded = 'https://example.com/validate.php?Value=' . rawurlencode('+MqZjrRvtvFdcC3GCRRnnQ==');
```
https://example.com/validate.php?Value=%2BMqZjrRvtvFdcC3GCRRnnQ%3D%3D

(Demo)

In particular, + is some old encoding for whitespace character (U+0020) and = is often used to separate argument name from argument value.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.