Home Differentiate between encoded slashes %2f and non-encoded slashes / in $_GET
Reply: 0

Differentiate between encoded slashes %2f and non-encoded slashes / in $_GET

Jonte Jontesson
1#
Jonte Jontesson Published in 2017-12-06 22:19:14Z

I have an web application that perform routing using rewrite rules for .htaccess for Apache2. My .htaccess file has the following line:

RewriteRule ^([A-Za-z]+)/([A-Za-z+-]+)/(.+)/?$ index.php?controller=$1&action=$2&params=$3 [NC]

The above line successfully routes an URI, let's say example.com/book/display/Foo to example.com/index.php?controller=book&action=display&params=Foo.

The problem is however that I'm exploding the $_GET['params'] in PHP using explode() and then pass the parameters as function arguments using call_user_func_array(). Thus, when I supply a parameter that include a slash, url encoded (using rawurlencode()) or not, explode() explodes the single parameter into two separate function arguments.

Is there a way to differentiate between a encoded slash %2f and a non-encoded slash / in Apache/PHP, so that I can avoid exploding an argument into two strings? At the moment, when I enter the URI index.php?controller=book&action=display&params=foo%2fbar, PHP still thinks that $_GET['params'] contains foo/bar rather than foo%2fbar. Changing the value of AllowEncodedSlashes in Apache makes no difference.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.324167 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO