PHP doesn't properly URL-decode POST values, or is the bug somewhere else?
- by Vilx-
I have a PHP website that integrates with PayPal. As part of it's normal operation it sends a POST request to a user defined URL about every transaction (and some other events). It's called IPN for those who know.
All was/is working just fine, until we moved to a new hosting provider last week. This naturally resulted in downtime, changing DNS entries, PHP misconfigurations, etc. In short - PayPal was unable to send the notifications for a few days.
Now, this is not that bad, because there is an option just for that - you can log into PayPal, go to the appropriate menu item, and have it resend the failed notifications. Which we did, and it resulted in over 400 error emails. The problem is that normally the email of the receiver ($_POST['business']) is received by PHP as [email protected], but when resending it comes out as my%40business.com. And the request validation goes crazy.
Obviously either something somewhere is missing a call to urldecode() or something is doing one too many urlencode(). But who? Is this a bug in PHP? I've never had such a problem before, not with any POST data ever. Perhaps PayPal has a bug? Wouldn't be surprising, but then this should have been caught ages ago. Or perhaps I'm doing something wrong and I should really be calling the urldecode() myself?