URL parameters as array getting stripped
-
The following .htaccess rule
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|”|;|\?|\*|=$).* [NC,OR]
strips out URL parameters from the following url:
http://www.mysite.com/index.php?use%5B%5D=C&use%5B%5D=S
Where use is passed as an array. (I.E. a series of check-boxes, etc…)
However, it only does this on certain PHP installations, while other installations work fine.
In order to get it working, I just change the rule to:
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|ê|”|;|\?|\*|=$).* [NC,OR]
But I’m not sure of what security implications this circumvents. I would rather change the PHP rule, or the .htaccess rule slightly to avoid this parameter passing issue.
The topic ‘URL parameters as array getting stripped’ is closed to new replies.
