is a query string with a / in it valid?

Question

Due to a miscommunication with an affiliate partner we're working with the URL they call on our server has been mixed up.

This is the URL they are supposed to call on our server :

 /AAAAAAAA/?b=CCCCCCC

unfotunately it was implemented in their system as this

 ?b=CCCCCCC/AAAAAAA

I can easily parse out the components, but I'm worried that a query string parameter with / in it is not actually a valid URL.

Is a / in a URL actually valid - or should I be concerned. Under what circumstances may an unencoded / cause problems in a query string.

Answer 1

According to RFC 3986: Uniform Resource Identifier (URI): Generic Syntax (from year 2005), yes, / is allowed in the query component. This is the BNF for the query string: (in Appendix A in RFC 3986)

query         = *( pchar / "/" / "?" )
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

The spec says:

• The characters slash ("/") and question mark ("?") may represent data within the query component.
• as query components are often used to carry identifying information in the form of "key=value" pairs and one frequently used value is a reference to another URI, it is sometimes better for usability to avoid percent-encoding those characters

Here is a related question: Query string: Can a query string contain a URL that also contains query strings?

Answer 2

Slash is a "reserved character" in the query part of a URL per RFC 2396 section 3.4, so according to section 2.2 it has to be encoded. That is, a query part can contain %2F but shouldn't contain /.

Answer 3

Although I've never had a problem, they're not technically allowed as per RFC 2396:

Within a query component, the characters ";", "/", "?", ":", "@", "&", "=", "+", ",", and "$" are reserved.

But as I said...I've never run into any issues. I think it's a problem with older browsers more than anything, but maybe someone can shed some more light on a problem this causes?