Pass a Percent (%) Sign in a Url and Get Exact Value of It Using PHP

Pass a percent (%) sign in a url and get exact value of it using php

Answer:

To send a % sign in a url, instead send %25.

In your case, in order for php to see a percent sign, you must pass the character string %25B6011000995504101^SB to the server.

Why:

In URLs, the percent sign has special meaning. Is used to encode special characters. For example, & is the separator between parameters, so if you want your parameter to actually contain an &, you instead write %26. Because the percent sign is used to encode special characters, it is also a special character, and so if you want to actually send a percent sign, it must also be encoded. The encoding for a percent sign is %25.

percent(%) sign character in git password

For '%' character, equivalent URL encode is '%25'

You can try replacing '%' with '%25'

Avoid multiple url_encode()

Assuming that you are wanting to urlencode a URL for use in the query string (recursively/iterative), something like this:

$s = 'http://www.php.net/urlencode?url=http%3A%2F%2Fwww.php.net%2Furlencode';
//parse the url
$p = parse_url($s);
//check if there is a query string 
$q = isset($p['query']) ? $p['query'] : '';
//urlencode the main url and then append the already encoded query string
echo urlencode(str_replace($q, '', $s)) . $q;

Or possibly:

echo urlencode(urldecode($s));

Percent Symbol in CodeIgniter URI

Put the "-" at the end of the string otherwise it gets interpreted as range. The % is already in the allowed character list as you can see.

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_+-';

---

Ahem... after looking at your sample string again. Here is why you get "The URI you submitted has disallowed characters".

Short explanation: Add the ampersand & to the allowed characters list

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_+&-';

---

Long explanation

There are 2 things playing together.

A) CodeIgniter checks all URI segments for disallowed characters. This happens by whitelisting allowed characters. Which ones are allowed can be checked in /system/application/config/config.php in the $config['permitted_uri_chars'] variable. The default value is set to something like 'a-z 0-9~%.:_-'. Thus all letters from a to z, space, all numbers and the following characters *~%.:_- are allowed.

Ok let us compare that to your sample URI which you say works

a-z 0-9~%.:_-
DO_SOMETHING/Coldplay/Fix+You/273/X+26+Y/   //note the missing %

All characters are ok... but wait what about the plus sign +? It's not in the list of allowed characters! And yet the URI is not complained about? This is the key to your problem.

B) CodeIgniter urldecodes the URI segments prior to the whitelist-character-check to prevent that someone circumvents the check by simply urlencoding the URI. Thus the + gets decoded to a space. This behaviour is because of urlencode (which encodes spaces as + sign, deviating from RFC 1738). That explains why the + sign is allowed.

These two things combined explain also why this specific URI doesn't work.

urldecode(DO_SOMETHING/Coldplay/Fix+You/273/X+%26+Y/) //evaluates to
//DO_SOMETHING/Coldplay/Fix You/273/X & Y/

Whoops... the urldecoding translates %26 to an &

Which isn't an allowed character. Mistery ;-) solved

Never seen and can't find out such a weird sign encoding in URL

%23 is the url-encoded form of the # character. So the URL contains an encoded string value of ?.

An HTML entity can be expressed in one of three formats:

&<name>; &#<decimal>; &#x<hex>;

In this case, the URL contains a hex-encoded HTML entity, where 0x3F is the hex value for the ? character.

The URL you provided:

http://ow.ly/LhPyt

As well as this direct URL:

http://www.hotelreservierung.de/angebot/St-James's-Club-Morgan-Bay-Saint-Lucia/Hotel-4432957

Both respond with an HTTP redirect to this URL:

http://www.hotelreservierung.de/angebot/St-James&%23x3F;s-Club-Morgan-Bay-Saint-Lucia/Hotel-4432957

GET /LhPyt HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ow.ly
DNT: 1
Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently
Location: http:// goo.gl/8vb7n8
Connection: close
Content-Length: 0

GET /8vb7n8 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Host: goo.gl
Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 10 Apr 2015 16:59:34 GMT
Location: http://www.hotelreservierung.de/angebot/St-James&%23x3F;s-Club-Morgan-Bay-Saint-Lucia/Hotel-4432957
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 240
Server: GSE
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Age: 83
Alternate-Protocol: 80:quic,p=0.5

GET /angebot/St-James's-Club-Morgan-Bay-Saint-Lucia/Hotel-4432957 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.hotelreservierung.de
DNT: 1
Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently
Date: Fri, 10 Apr 2015 17:01:07 GMT
Server: Apache/2
Provided-Host: hrslave03
Set-Cookie: _hrlnkflghtl2=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22Hrlnkflghtl1%22%3B%7D; expires=Sun, 10-May-2015 17:01:07 GMT; path=/
Set-Cookie: _hrhtldtlnwdsgn2=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22Hrhtldtlnwdsgn2b%22%3B%7D; expires=Sun, 10-May-2015 17:01:07 GMT; path=/
Set-Cookie: _hrstrtpgnwfrm=a%3A1%3A%7Bi%3A0%3Bs%3A14%3A%22Hrstrtpgnwfrm4%22%3B%7D; expires=Sun, 10-May-2015 17:01:07 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mDhBeFyD=00; Expires=Sat, 11-Apr-2015 17:01:07 GMT; Path=/
Location: /angebot/St-James&%23x3F;s-Club-Morgan-Bay-Saint-Lucia/Hotel-4432957
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html

Notice the Location header in both responses.

In the first case, the browser is simply navigating to the new URL that goo.gl told it to go to.

In the second case, the browser is transmitting the ' character as-is in its GET request and is then being redirected to a new URL that contains &%23x3F; instead. So it is the hotelreservierung.de server itself that is deciding to encode the ' character as &%23x3F; in its URL. It is not the browser doing that.

JavaScript - Encode characters and URI malformed error

Eventually there was a bug on my server side. I tried to decode the '%' sign.
Solved it by the following:

On the client:

const endpoint = `${endpoint}&text=${encodeURIComponent(query)}`;
await fetch(endpoint);

On the server:

decodeURIComponent(encodeURIComponent(query.text))

urlencode but ignore certain chars

Can you not just do:

$str = urlencode($str);
$str = str_replace("%23", "#", $str);
$str = str_replace("%25", "%", $str);

---

Related Topics