Login/Register
is a query string with a / in it valid?
Asked Answered
Solved httpuriquery-stringuriencoding
P

3

9

Due to a miscommunication with an affiliate partner we're working with the URL they call on our server has been mixed up.

This is the URL they are supposed to call on our server :

 /AAAAAAAA/?b=CCCCCCC

unfotunately it was implemented in their system as this

 ?b=CCCCCCC/AAAAAAA

I can easily parse out the components, but I'm worried that a query string parameter with / in it is not actually a valid URL.

Is a / in a URL actually valid - or should I be concerned. Under what circumstances may an unencoded / cause problems in a query string.

Panocha answered 2/2, 2010 at 23:49 Comment(1)
i love how the / got parsed out of the URL for this question :-)Panocha
M
2

Although I've never had a problem, they're not technically allowed as per RFC 2396:

Within a query component, the characters ";", "/", "?", ":", "@", "&", "=", "+", ",", and "$" are reserved.

But as I said...I've never run into any issues. I think it's a problem with older browsers more than anything, but maybe someone can shed some more light on a problem this causes?

Menorah answered 3/2, 2010 at 0:4 Comment(4)
i kinda figured that technically it wasn't allowed (for obvious reasons) but I'd have thought it would pretty much be ok. with that said i'm wondering if some funky thins might occur with proxies, older browsers, security tools etc.Panocha
@Simon - I have yet to find any ill-effects, but my uses of them are usually very specific, e.g. Login?ru=Route/SubRoute/Category/45.Menorah
ok so hopefully we're fine for a week. thanks - and amazed someone that is actually using '/' managed to find my question so quickly!Panocha
link provided is dead,Allegorize
P
12

According to RFC 3986: Uniform Resource Identifier (URI): Generic Syntax (from year 2005), yes, / is allowed in the query component. This is the BNF for the query string: (in Appendix A in RFC 3986)

query         = *( pchar / "/" / "?" )
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

The spec says:

  • The characters slash ("/") and question mark ("?") may represent data within the query component.
  • as query components are often used to carry identifying information in the form of "key=value" pairs and one frequently used value is a reference to another URI, it is sometimes better for usability to avoid percent-encoding those characters

Here is a related question: Query string: Can a query string contain a URL that also contains query strings?

Pigeonhearted answered 17/4, 2011 at 2:35 Comment(1)
This should be the correct answer, because RFC 3986 is the replacement for 2396.Selfimportant
M
2

Although I've never had a problem, they're not technically allowed as per RFC 2396:

Within a query component, the characters ";", "/", "?", ":", "@", "&", "=", "+", ",", and "$" are reserved.

But as I said...I've never run into any issues. I think it's a problem with older browsers more than anything, but maybe someone can shed some more light on a problem this causes?

Menorah answered 3/2, 2010 at 0:4 Comment(4)
i kinda figured that technically it wasn't allowed (for obvious reasons) but I'd have thought it would pretty much be ok. with that said i'm wondering if some funky thins might occur with proxies, older browsers, security tools etc.Panocha
@Simon - I have yet to find any ill-effects, but my uses of them are usually very specific, e.g. Login?ru=Route/SubRoute/Category/45.Menorah
ok so hopefully we're fine for a week. thanks - and amazed someone that is actually using '/' managed to find my question so quickly!Panocha
link provided is dead,Allegorize
B
1

Slash is a "reserved character" in the query part of a URL per RFC 2396 section 3.4, so according to section 2.2 it has to be encoded. That is, a query part can contain %2F but shouldn't contain /.

Bijugate answered 3/2, 2010 at 0:7 Comment(3)
but in practice is anything actually going to break? i want to get the URL format fixed but that will take a week for their next buildPanocha
@Simon If anyone knows the answer to that question it's you.Bijugate
well it doesn't break for me in chrome or IE8, but maybe it does break for someone using Mosaic 1.0 ? i dunno ;-)Panocha

© 2022 - 2024 — McMap. All rights reserved.