Title: [Plugin: BulletProof Security] BPS and URL Params Plugin
Last modified: August 20, 2016
---
# [Plugin: BulletProof Security] BPS and URL Params Plugin
* Resolved [ElementalMedia](https://wordpress.org/support/users/elementalmedia/)
* (@elementalmedia)
* [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-bps-and-url-params-plugin/)
* Hello
I am using a slightly modified version of the [URL Params plugin](http://wordpress.org/extend/plugins/url-params/)
It allows me to pass a value (dollar amount) from one form to another, located
on different page.
* Exactly in the same fashion as [this site](http://goo.gl/FjZ9A)
* If you select $200 on the homepage, $200 will be pre-populated on the next form,
different page.
* After installing BPS, these values are no longer being passed. This seems to
be the result of the BPS ‘locking down’ procedure that re-writes/modifies a few
files for greater security.
* Is there an exception line of code I can implement in the Custom Code area of
BPS that will restore this functionality?
* If so, could you please tell me what that code would be, and in which pane of
the Custom Code section I should place it in?
* Here is the modified URL Params code I am using:
* ```
/*
Plugin Name: URL Params
Plugin URI: http://asandia.com/wordpress-plugins/urlparams/
Description: Short Code to grab any URL Paramater
Version: 0.4
Author: Jeremy B. Shapiro
Author URI: http://www.asandia.com/
*/
/*
URL Params (WordPress Plugin)
Copyright (C) 2011 Jeremy Shapiro
Updated by Phil Jolly 2012
*/
//tell wordpress to register the shortcode
add_shortcode("urlparam", "urlparam");
function urlparam($atts) {
$atts = shortcode_atts(array(
'param' => '',
'default' => '',
'dateformat' => ''
), $atts);
$params = preg_split('/\,\s*/',$atts['param']);
foreach($params as $param)
{
$pieces = explode('.', $param);
$p1 = $pieces[0];
$p2 = $pieces[1];
if($_REQUEST[$p1][$p2]) {
return $_REQUEST[$p1][$p2];
}
else if($_REQUEST[$param])
{
if(($atts['dateformat'] != '') && strtotime($_REQUEST[$param]))
{
return date($atts['dateformat'], strtotime($_REQUEST[$param]));
} else {
return $_REQUEST[$param];
}
}
}
return $atts['default'];
}
```
* Thanks for your time and have a great day.
* [http://wordpress.org/extend/plugins/bulletproof-security/](http://wordpress.org/extend/plugins/bulletproof-security/)
Viewing 7 replies - 1 through 7 (of 7 total)
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-bps-and-url-params-plugin/#post-3097542)
* > “After installing BPS, these values are no longer being passed.”
* I need to see an actual example and/or specific details of the problem.
What
are the actual values that you are trying to post and what does the query string
look like. You can post just the end portion of the query string and do not need
to post your entire URL if you do not want to.
* I am guessing that maybe square brackets are being used in the query string and
BPS will block square brackets in query strings.
* Thread Starter [ElementalMedia](https://wordpress.org/support/users/elementalmedia/)
* (@elementalmedia)
* [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-bps-and-url-params-plugin/#post-3097549)
* Thanks for the fast reply.
I am hoping you had a chance to look at the example
site I linked to.
* Here is the code I am using:
* ```
```
* I am trying to pass the ‘requested amount’ value, so I believe you are right
on target with the square brackets.
* Any exemption code I can use to get this working again, and where would I place
this code, please.
Thanks
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-bps-and-url-params-plugin/#post-3097558)
* Yes i looked at the site url you posted. Is this the website that is having the
problem?
This query string has urlencoded square brackets – %5B and %5D and
would be blocked by BPS.
* ```
?form%5Brequested_amount%5D=200&submit.x=258&submit.y=49
```
* To not have this example query string blocked by BPS you would modify these security
filters. If the example site you had me look at is not your site and your query
strings have another problem then this fix will not work for your site. If your
query string is different for your actual site then i would need to see the query
string to tell you what needs to be done.
* ```
modify these security filters...
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
...to this
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
```
* Thread Starter [ElementalMedia](https://wordpress.org/support/users/elementalmedia/)
* (@elementalmedia)
* [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-bps-and-url-params-plugin/#post-3097575)
* No that is not the actual site. My client preferred I did not list it here in
the forum.
* I pasted the actual code we are using for the button that has the square brackets`