Help Escaping URL Encoded Character (%2F)

[127.0.0.1]

[tt]Apache/1.3.31
PHP Version 4.4.2[/tt]

This URL encoded character [tt][b]%2F[/b][/tt] keeps breaking my script!

I'm writing a script that shows "clean urls." It allows urls such as mysite.com/index.php/article/483498 to be passed to my script.

This is the basic logic of the script:

[code]
if(getenv('PATH_INFO')) // Check if any modules were requested
{
$clean_url = explode('/',$_SERVER['PATH_INFO']);
array_shift($clean_url);
}

$modules = array( // Define array of valid modules IDs
'frontpage',
'article',
);

$module_id = empty($clean_url[0]) ? '' : $clean_url[0]; // Requested module ID
$page_id = empty($clean_url[1]) ? '' : $clean_url[1]; // Requested page ID

if(empty($module_id)) // Default module
$module_id = "frontpage";

if (in_array($module_id,$modules)) // Does the requested module exist?
echo 'Module ' . $module_id . ' found!<br />Page: ' . $page_id;
else
echo 'Module not found.';
[/code]

It works fine and dandy until I put [tt][b]%2F[/b][/tt] into the URL. Which prompts me with an Apache 404 error. I've tried using urldecode and rawurldecode with [tt]$_SERVER['PATH_INFO'][/tt] but it did not work. What should I do to sanitize the incoming variables to prevent my script from breaking when [tt]%2F[/tt] is passed to it?

[linuxdream]

I tried the exact string and urldecode() turned it into a "/"...Not sure whats wrong... Where are you using path information in a URL string...I'm not seeing it in the code. I only see you outputting the results.

[Jessica]

You tried this:
$clean_url = explode('/',urldecode($_SERVER['PATH_INFO']));
?

[127.0.0.1]

I'm using the same script that was used in [url=http://www.phpfreaks.com/tutorials/149/1.php]clean url phpfreaks tutorial[/url]. I just modified it a bit to escape uninitialized variable errors.

[quote author=linuxdream link=topic=124232.msg514468#msg514468 date=1169856602]
I tried the exact string and urldecode() turned it into a "/"...Not sure whats wrong... Where are you using path information in a URL string...I'm not seeing it in the code. I only see you outputting the results.
[/quote]

That's the thing. The character will get properly decoded if it is passed directly to the decoder or even passed conventionally through a url such as [tt]script.php?variable=%2F[/tt]. However, it breaks when trying to send it the clean url way.

The path information is passed at the beginning of the code [tt]$clean_url = explode('/',$_SERVER['PATH_INFO']);[/tt],

[quote author=jesirose link=topic=124232.msg514474#msg514474 date=1169857181]
You tried this:
$clean_url = explode('/',urldecode($_SERVER['PATH_INFO']));
?
[/quote]

Yes, I tried that.

I'm beginning to think it's not a problem with PHP at all. It's an Apache problem, because the script does not even get a chance to execute. When [tt]%2F[/tt] is thrown into this URL [tt]/index.php/article/911%2F[/tt] Apache says this...

[quote]

Not Found
The requested URL /index.php/article/911/ was not found on this server.

Apache/1.3.31 Server at localhost Port 80

[/quote]

:-\

[Jessica]

I wonder if there is something you can work with in your mod_rewrite.

[127.0.0.1]

I'm not very well versed with mod rewrite. Search hits on Goggle are telling me there's a bug with Apache regarding this and other stuff that isn't quite related. I'm not really sure.

[Jessica]

How are you directing it to this file in the first place?

[127.0.0.1]

There is no file redirection. It does not need the mod rewrite engine enabled to function as long as the filename that is executing the script is in the URL.
[tt]Example: www.website.com/[b]index.php[/b]/article/555[/tt]

But, I do plan on using mod rewite so I can omit the name of the script altogether and add an html extension just for aesthetics.
[tt]Example: www.website.com/article/555.html[/tt]

For that I have the following in [tt].htaccess[/tt]

[code]
Options +FollowSymLinks
RewriteEngine on

#Clean URLs
RewriteRule ^(.*).html /index.php/$1
[/code]

It works so far, but I'm no guru so I'm sure there is a better way.

[Jessica]

I'd do this:
RewriteRule ^article/([A-Za-z0-9_/]+)$ /index.php?id=$1 [NC]
This way it will catch those %2f (I think)

[127.0.0.1]

Nope. It still manages to break it. Apache generates a 404. :-\

Something peculiar I noticed to. Maybe it will offer some insight. When %2F is in the URL the 404 code that is generated over rides the settings in the [tt].htaccess[/tt], which it does not do on other 404 errors. For example I have declared [tt]ServerSignature Off[/tt]. But the server signature gets displayed.

[Jessica]

There's really no reason for that code to be passed in the url.../ is a valid url character.

[127.0.0.1]

True enough, at least for my usage.

I was just trying to exploit my own scripts through the URL to see if they were "bulletproof," and found %2F kept causing that 404. It's an annoyance to me because it causes Apache to bypass the custom ErrorDocument. I guess I do not have something configured correctly.

Thanks for your time though. It is appreciated.