tags:

views:

1201

answers:

6
+1  Q: 

How do you configure Apache/PHP to accept slashes in query strings?

I have two Apache servers running PHP. One accepts forward-slashes in the query string and passes it along to PHP in the expected way, for example:

http://server/index.php?url=http://foo.bar

works and in PHP this expression is true:

$_REQUEST['url'] == "http://foo.bar"

However, in the other Apache server, the same URL results in a 403 Forbidden error! Note that if the query string is properly URL-escaped (i.e. with %2F instead of forward-slash), then everything works.

Clearly there's some difference in the Apache or PHP configuration that causes this, but I can't figure out what!

I want to accept this form of URL in both cases, not reject it.

A: 

This sounds like another case of default magic_quotes_gpc. On the server causing problems check the php.ini and make sure that

magic_quotes_gpc = Off

UberDragon  2009-01-20 17:37:25
Indeed this is Off. So is magic_quotes_runtime.
Jason Cohen  2009-01-20 17:44:31
A: 

You dont specify what PHP does with this url. Does it redirect to this page or try to read it?

There is probably some mod_rewrite rule to remove double slashes, or for some other purpose, which tries to redirect this to somewhere it should not.

Maybe a regex without ^ before http://

OIS  2009-01-20 19:21:23
PHP does get the page at all -- Apache throws a 403 exception error instead.
Jason Cohen  2009-01-22 02:35:17
+2  A: 

http://server/index.php?url=http://foo.bar is not a valid url. You have to encode the slashes. I think browsers do this automagically, so maybe you were testing with different browsers?

Or perhaps it's the AllowEncodedSlashes setting?

troelskn  2009-01-20 19:36:05
A: 

Note that if the query string is properly URL-escaped (i.e. with %2F instead of forward-slash), then everything works.

So it works when the query string is properly formatted and doesn't work when it isn't. What's the problem?

jmucchiello  2009-01-20 19:41:21
The problem is that with my OTHER setting this DOES work!
Jason Cohen  2009-01-21 15:59:31
+1  A: 

In your Apache config:

AllowEncodedSlashes On

See the documentation for more information: http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

Edit: Hmm, this may be what you already have working... I had this same problem, and what ended up fixing it for me was to just use $_SERVER['REQUEST_URI'] as that had the data I needed.

Ian  2009-01-20 19:46:46
A: 

Do you have mod_security installed? See this thread:

http://stackoverflow.com/questions/1089744/403-forbidden-on-php-page-called-with-url-encoded-in-a-get-parameter

Phoenix  2010-01-05 22:22:15

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases