I have a form field that I plonk a query string into.
This is cleaned in so far as it is urldecoded and then I throw in htmlentities so it doesn't create flawed HTML.
In other words:
<input type="text" name="example" value="<?php echo htmlentities((urldecode($_GET["example"])); ?>" />
urldecode converts plusses into spaces, however someone may wish to use a genuine plus in their query.
Two questions:
urldecode which will not convert the genuine plusThe strings in the $_GET array are already urldecoded. You should not do it againt.
On the other hand, if you really want to insert a plus into the querystring, you should urlencode it first.