Does PHP Automatically Decode $_GET Params?

PHP automatically passes $_GET params through urldecode(). Therefore, there is no need to explicitly use urldecode() on $_GET array elements. Doing so would end up decoding the string twice which could lead to unexpected, and sometimes dangerous results. This can especially be problematic, for example, when the query string component of the URL may contain an encoded + (plus sign), because:

  • Decoding it once would change the encoded + (i.e. "%2B") into a literal + symbol as expected, however;
  • Decoding it twice would change the literal plus symbol (i.e. "+") into a space character. This happens because the plus sign has a semantic meaning in the query string; it is used to represent a space (just like how & is used for separating multiple key/value pairs).

To demonstrate this, let's suppose you have an "email" param sent via a GET request, and one of the email strings sent through has an encoded + (plus sign) in it, e.g. "foo%2Bbar%40email.com". Decoding it twice would convert the plus sign into a space character (as mentioned above), rendering the email invalid as you can see below:

// GET https://example.com?email=foo%2Bbar%40email.com

$email = urldecode($_GET['email']);
var_dump($email); // 'foo [email protected]'

Instead, to get the correct result, you should just use $_GET['email'] without urldecode() like so:

// GET https://example.com?email=foo%2Bbar%40email.com

$email = $_GET['email'];
var_dump($email); // '[email protected]'

This post was published (and was last revised ) by Daniyal Hamid. Daniyal currently works as the Head of Engineering in Germany and has 20+ years of experience in software engineering, design and marketing. Please show your love and support by sharing this post.