Does PHP Automatically Decode $_GET Params?

Should You be Using urldecode on PHP $_GET params?

PHP automatically passes $_GET params through urldecode(). Therefore, there is no need to explicitly use urldecode() on $_GET array elements. Doing so would end up decoding the string twice which could lead to unexpected, and sometimes dangerous results. This can especially be problematic, for example, when the query string component of the URL may contain an encoded + (plus sign), because:

  • Decoding it once would change the encoded + (i.e. "%2B") into a literal + symbol as expected, however;
  • Decoding it twice would change the literal plus symbol (i.e. "+") into a space character. This happens because the plus sign has a semantic meaning in the query string; it is used to represent a space (just like how & is used for separating multiple key/value pairs).

To demonstrate this, let's suppose you have an "email" param sent via a GET request, and one of the email strings sent through has an encoded + (plus sign) in it, e.g. "foo%2Bbar%40email.com". Decoding it twice would convert the plus sign into a space character (as mentioned above), rendering the email invalid as you can see below:

// GET https://example.com?email=foo%2Bbar%40email.com

$email = urldecode($_GET['email']);
var_dump($email); // 'foo bar@email.com'

Instead, to get the correct result, you should just use $_GET['email'] without urldecode() like so:

// GET https://example.com?email=foo%2Bbar%40email.com

$email = $_GET['email'];
var_dump($email); // 'foo+bar@email.com'

Hope you found this post useful. It was published (and was last revised ). Please show your love and support by sharing this post.