I have this php file resizeImage.php which can be called like this -
http://<domain>/fam/resizeImage.php?&srcImg=<url encoded URL of a remote image>&width=<width>&height=<height>
However, a different module calls the htmlentities encoded version of this URL, in this way -
htmlentities(http://<domain>/fam/resizeImage.php?srcImg=<url encoded url>&width=<width>&height=<height>)
So, following is a sample URL that is called -
http://<domain>/fam/resizeImage.php?srcImg=https%3A%2F%2Flh3.googleusercontent.com%2FVRY0O_3L8VH2wxJSTiKPr72PeM5uhPPFEsHzzYdxenddpTI150M0TYpljnZisQaROR0%3Dh256-rw&width=640&height=960
Now, the request is received by resizeImage.php, but I am unable to get the parameter width using $_REQUEST['width'], but I can do the following -
& to get the parameter-value pairs.= to get values against parameters.So, two things -
In some cases, when people send html code in get parameters htmlentities on single parameters might be ok when it comes to the label, but not for the link itself - they should use urlencode for that:
<a href="htpp://yourdomain.tld/?param1=<?php echo urlencode('<somehtmltag>'); ?>>htpp://yourdomain.tld/?param1=<?php echo htmlentities('<somehtmltag>'); ?></a>
You can use PHP's internal functions to parse and decode URLs:
So here's an example code what I'm come up with (you can try it out here):
$parsed = parse_url($url);
parse_str(urldecode(html_entity_decode($parsed['query'], ENT_HTML401)), $tmp);
var_dump($tmp);
...which renders your URL parameters into an associative array:
array(3) {
["srcImg"]=>
string(109) "https://lh3.googleusercontent.com/VRY0O_3L8VH2wxJSTiKPr72PeM5uhPPFEsHzzYdxenddpTI150M0TYpljnZisQaROR0=h256-rw"
["width"]=>
string(3) "640"
["height"]=>
string(3) "960"
}
As for the second part, I think the second module's approach is a little bit safer, since you're placing an URL in an URL's parameter. If you don't want to hassle with parsing and stripping unnessesary parts from the parameter, then encoding the whole is a simple and safe way to keep your URL's out of syntax errors.