How do you configure Apache/PHP to accept slashes in query strings?

Question

I have two Apache servers running PHP. One accepts forward-slashes in the query string and passes it along to PHP in the expected way, for example:

http://server/index.php?url=http://foo.bar

works and in PHP this expression is true:

$_REQUEST['url'] == "http://foo.bar"

However, in the other Apache server, the same URL results in a 403 Forbidden error! Note that if the query string is properly URL-escaped (i.e. with %2F instead of forward-slash), then everything works.

Clearly there's some difference in the Apache or PHP configuration that causes this, but I can't figure out what!

I want to accept this form of URL in both cases, not reject it.

Answer 1

A few posts here suggest the OP's usage is wrong, which is false.

Expanding on Sam152's comment, query strings are allowed to contain both ? and / characters, see section 3.4 of http://www.ietf.org/rfc/rfc3986.txt, which is basically the spec written by Tim Berners-Lee and friends governing how the web should operate.

The problem is that poorly written (or poorly configured, or misused) parsers interpret query string slashes as separating path components.

I have seen examples of PHP's pathinfo function being used to parse URL's. Pathinfo wasn't written to parse a URL. You can however extract the path using parse_url then use fileinfo to retrieve details from the path. You will see that parse_url handles / and ? in query strings just fine.

In any case, the overall problem is that this area is poorly understood all-round, even among experienced developers, and most people (myself included until recently) just assume that anything after the filename has to be urlencoded, which is patently false if you take the standards into consideration.

tl;dr Read the spec :)