urlencode and GET request breaks at Ampersand

Question

I am working on a wordpress website which has thousands of pages and the owner has entered an affiliate link for each page via a custom field named: afflink

The affiliate link is outputted on the page using:

<?php echo get_post_meta(get_the_ID(), 'afflink', true) ?>

The user clicks the link which sends them to a page called go.php

The link looks like this:

www.mysite.com/go/go.php?url=http://www.somesite.com/redirector.aspx?aid=334&cid=2502&tid=3

Within the go.php page is the following meta refresh tag:

<meta http-equiv="refresh" content="5;<?php echo $_GET['url']?>

" />

However, when the page refreshes it sends us to just:

http://www.somesite.com/redirector.aspx?aid=334

How can i fix this?

Answer 1

You should use urlencode before printing link to the user, not after he clicks the link:

$link = "http://www.somesite.com/redirector.aspx?aid=334&cid=2502&tid=3";
echo '<a href="http://www.mysite.com/go/go.php?url='.urlencode($link).'">' . $link . '</a>';

[+]

I strongly recommend writing some script that will change existing entries with proper ones. If all of them starts with www.mysite.com/go/go.php?url= then you can replace it with nothing in database, add this part to your meta tag and echo urlencoded link from db.

Any other solution will be just a kludge. One of it is to recreate original url from the rest of GET parameters in go.php:

$url = $_GET['url'];
unset($_GET['url']);
if ($_GET) {
    $url .= '&' . http_build_query($_GET);
}

Answer 2

No need to urldecode a GET or REQUEST variable, they are automatically decoded:

http://php.net/manual/en/function.urldecode.php

Answer 3

You're misusing URLs.

Your URL is parsed like this:

• Path: go/go.php
• ?
• First query string argument: url=http://www.somesite.com/redirector.aspx?aid=334
• &
• Second querystring argument: cid=2502
• &
• Third querystring argument: tid=3

Instead, you need to URL-parameter-encode the inner URL.