PHP - GET METHOD - Reading posted URL variables values

Question

I have two files, the first is a form (signup.php) that posts user inserted fields (first name, last name, user name, email..etc) into another file containing an error handlers (Signup.chk.php) using post method. in case of error in the inputs, i wanted signup.chk.php to send back all the fields inserted by the user to the signup.php file using GET method to re-display the form with the errors and the user's inputs.

i'm expecting a URL that looks like below:

localhost/signup?signup=error&firstname=Joe&lastname=Doe&user=Jdoe1&email=Jdoe@abc.com

it works fine if the user didnt insert special chars as inputs.

if the user inserts $ or & as part of the inputs it will mess up the _GET function on the other page.

what is the best way to encode/decode the URL values to prevent XSS and also allow the signup.inc file to properly receive the url values and display it correctly in the form fields again (Even if containing <>$&%..etc)

Answer 1

To do what you want, you can use urlencode() and urldecode().

// To form the URL
$url = "localhost/signup?signup=error&firstname=" . urlencode($firstname);

// To get the value from the URL and decode it.
$firstname = urldecode(isset($_GET['firstname']) ? $_GET['firstname'] : "");

However, there is a security issue, user may add some code on the url to attack your website, so you need to do something to avoid it, eg restrict input length or avoid unnecessary specific characters.