i have script
<?php
$to = $_GET["to"];
header("Location: $to");
?>
if i call script such
out.php?to=http://site.ru/page.php?param1=1¶m2=2
in param $to be only http://site.ru/page.php?param1=1&
how to fix? i want that $to = http://site.ru/page.php?param1=1¶m2=2
You can escape the URL at the site calling out.php:
<a href="out.php?to=<?PHP echo htmlspecialchars(urlencode($to)); ?>">Go to $to</a>
& is a reserved character in an URI. When you access this URL, ¶m2=2
is interpreted as belonging to the current URL and not to the value of to.
If you want to transmit it literally, you have to encode it with %26:
http://site.ru/page.php?param1=1%26param2=2
Most programming languages provide a function to do so. (e.g. JavaScript, PHP). The best thing is to encode the whole URL.
$to must be urlencoded, but note that you giving a redirect script to anyone, so, any phisher can use it.
So, it would be better to store urls in the database and pass only an identifier.
try encoding the to URL in base64 and then in the example that u have shown decode it before you pass it to the header :)
I ran into the same problem before, this is what I did:
$arr=explode('?to=',$_SERVER['REQUEST_URI'],2);
$new_to=$arr[1];
Now you can use the $new_to variable. Of course if you're using this for production environment, I would recommend encoding the url as the other answers advised. I was using it for testing curl script. getting the variable this way has lots of flaws, so be careful.
You can use a Function called "html_entity_decode"
Click Here for more information about this function
or use md5 function to encrypt the URL and then decrypt it when you put it into a varriable.
I hope this can help you
