Home/ Questions/Q 7066369
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T05:04:27+00:00

I’m really unsure if this is even possible but we have an issue where

  • 0

I’m really unsure if this is even possible but we have an issue where we control an interface that is having XML posted in to it via HTTP post in the form of www.url.com/script.php?xml=<xmlgoeshere>. That is then URL encoded and passed in to us, and we decode and parse it.

Except I have one client who just refuses to url encode their incoming code, which works fine except for when the XML hits an ampersand, at which point everything is being parsed as an end of the xml variable.

www.url.com/script.php?xml=<xmlstart...foo&bar.../>

The end result being that I have XML being POST/GET’d into the xml variable as normal, and then I lose half of the incoming content because of the ampersand.

Now I know that’s expected/proper behavior, my question is, is it possible to capture the &bar.../> segment of this code, so that if we hit a known error I can crowbar this into working anyways? I know this is non-ideal but I’m at my wit’s end dealing with the outside party.

UPDATE

Ok so I was totally confused. After grabbing the server variables as mentioned below, it looks like I’m not getting the querystring, but that’s because on the query they’re submitting it has:

 [CONTENT_TYPE] => application/x-www-form-urlencoded
 [QUERY_STRING] =>

That being the case, is the above behavior still to be expected? Is their a way to get the raw form input in this case? Thanks to the below posters for their help

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If the only parameter you use is xml=, and it’s always at the front, and there are no other parameters, you can do something like this pseudocode:

    if (count($_GET)>1 or is_not_well_formed_xml($_GET['xml'])) {
   $xml = substr($_SERVER['QUERY_STRING'], 4);
   if (is_not_well_formed_xml($xml)) {
       really_fail();
   }
}

    However, you should tell the client to fix their code, especially since it’s so easy for them to comply with the standard! You might still get trouble if the xml contains a ? or a #, since php or the web server may get confused about where the query string starts (messing up your $_SERVER['QUERY_STRING'], and either PHP, the client’s code or an intermediary proxy or web server may get confused about the #, because that usually is the beginning of a fragment.

    E.g., Something like this might be impossible to transmit reliably in a query parameter:

    <root><link href="http://example.org/?querystring#fragment"/></root>

    So tell them to fix their code. It’s almost certainly incredibly easy for them to do so!

    UPDATE

    There’s some confusion about whether this is a GET or POST. If they send a POST with x-www-form-urlencoded body, you can substitute file_get_contents('php://input') for $_SERVER['QUERY_STRING'] in the code above.

    • 0