PHP $_GET var with urlencode and "&" bug

Question

In my code, I create a link like this:

$link = 'http://www.mydomain.com/'.urlencode($str).'/1';

I use url-rewriting and the rule in my htaccess file looks like this:

rewriteRule ^(.+)/(.*)$ index.php?var1=$1&var2=$2 [NC,L]

This code is working fine for almost every strings. But sometimes, the string to encode contains "&". The urlencode function encodes it corectly, but when I read the $_GET array in php, it looks like this (with $str = 'substring1&substring2'):

'var1' => 'substring1' (without "&")
'substring2' => '' (without "&")
'var2' => 1

I really need the "&" in my var. Is there a way to encode that character to make it works?

Also, I really don't know why, but sometimes I get a forbidden http error with some strings passed as var1. Apparently, they have nothing special, for exemple, "Décarie Square" makes that error. Other strings with spaces and "é" are working fine.

Answer 1

Apache's mod_rewrite automatically decodes urlencoded strings when it does regex matching. But it only does this once, so you should be if you urlencode your string twice. This will re-escape all of those `%' characters.

try

$link = 'http://www.mydomain.com/'.urlencode(urlencode($str)).'/1';

or stop relying on rewrite rules and use a framework that handles URL routing properly.

Oh, and there should also be htmlentities() somewhere in there.

Answer 2

Apache will automatically translate (decode) the path. You must use a different encoding or even double encoding. Base 64 will work.

Answer 3

Two options:

• Urlencode the string before urlencoding the query.
• Replace all non alphanumerical chars with a dash or underscore

As for the forbidden error are you using http auth basic or digest?

Update may mistake try using htmlentities or htmlspecialchars instead of urlencode

Answer 4

your $str isn't setup with key=val pairs

Try $str = 'var1=substr1&var2=substr2';