PHP form auto escaping posted data?

Question

I have an HTML form POSTing to a PHP page.

I can read in the data using the $_POST variable on the PHP.

However, all the data seems to be escaped.

So, for example

a comma (,) = %2C a colon (:) = %3a a slash (/) = %2

so things like a simple URL of such as http://example.com get POSTed as http%3A%2F%2Fexample.com

Any ideas as to what is happening?

Answer 1

This shouldn't be happening, and though you can fix it by manually urldecode()ing, you will probably be hiding a basic bug elsewhere that might come round to bite you later.

Although when you POST a form using the default content-type ‘application/x-www-form-encoded’, the values inside it are URL-encoded (%xx), PHP undoes that for you when it makes values available in the $_POST[] array.

If you are still getting unwanted %xx sequences afterwards, there must be another layer of manual URL-encoding going on that shouldn't be there. You need to find where that is. If it's a hidden field, maybe the page that generates it is accidentally encoding it using urlencode() instead of htmlspecialchars(), or something? Putting some example code online might help us find out.

Answer 2

Here is a simple PHP loop to decode all POST vars

foreach($_POST as $key=>$value) {
    $_POST[$key] = urldecode($value);
}

You can then access them as per normal, but properly decoded. I, however, would use a different array to store them, as I don't like to pollute the super globals (I believe they should always have the exact data in them as by PHP).

Answer 3

Actually you want urldecode. %xx is an URL encoding, not a html encoding. The real question is why are you getting these codes. PHP usually decodes the URL for you as it parses the request into the $_GET and $_REQUEST variables. POSTed forms should not be urlencoded. Can you show us some of the code generating the form? Maybe your form is being encoded on the way out for some reason.

See the warning on this page: https://www.php.net/manual/en/function.urldecode.php