7

I have a situation where the user is able to enter any characters they want in a URL query string.

Example:

http://localhost/default.aspx?ID=XXXX

http://localhost/default.aspx?ID=&XXXX

http://localhost/default.aspx?ID=#XXXX

The web page must accept the ID parameter as it is no matter what the characters are. However certain special characters such as ampersand(&) and pound(#) creates problems. How can I accept them as is?

Improve this question

4 Answers 4

Reset to default
8

This:

encodeURIComponent(uri)

Where uri is the component after the ?ID=

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

If the user is entering the query string, they must properly encode the query string first. If you are creating the query string yourself, such as from a form submission, you will need to use a URL encode method.

Improve this answer

2 Comments

Is there no control that I can add on the web page side where I can interpret special characters such as ampersand(&) as just any ordinary character?
I think your only choice would be to iterate through all parameters, assuming that ID is the only one you expect. So if the user enters ?ID=123&456. Then see what it gives you, the servlet API may only give you one parameter ID with the value 123. But it may give you a second parameter 456, in which case you can append them together. This is really a bad solution though as it may be out of order when you iterate through. The best thing would be to change your requirements because the technology does not support it the way they want it to work.
1

Encode your URL HttpServerUtility.UrlEncode Method (String)

Edit: following your comment, you want to get query String value of ID

 String id = Request.QueryString["ID"];
Improve this answer

2 Comments

In my case the user enters the URL in the address bar. What I need to do is get just the ID entered by the user. How can I do this without having any control towards the URL but only the query string?
but in that case ID will be an empty string in a situation where ID=&XXXX when what I really want is ID to equal "&XXXX"
0

Use 

userinput = escape(userinput)

then, in PHP:

$userinput = urldecode($_GET['id'])

or in JS:

userinput = unescape(userinput)
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.