Your code is looking OK. But few thoughts, what could go wrong:
At first: Try the following code:
<?php
var_dump($_GET['thedate']); // check what it is?
date_default_timezone_set('Europe/Warsaw'); // set default timezone to your zone / user zone
echo date('d-m-Y',strtotime('2015-06-30')); // check that date is working with plain text
?>
At first remember to always use date_default_timezone_set('Europe/Warsaw');
. It can be really important for Your application. Second, enter the date in plain text mode. If this works, it mean that the date function is working ok, and there is something wrong with Your GET or after GET variable manipulation.
Second: NEVER, EVER DON'T VALIDATE _GET VARIABLES. Sorry for double negation, but maybe becouse of that, it can be more memorable ;).
Always parse the data that user enters in the URL. Always parse:
- _GET data
- _POST data
- _REQUEST data
- _SERVER data (yes, some of them can be manipulated
- all other vulnerable data...
So summing up: Your code (the one You entered is OK), check the GET variable and the after get variable manipulation. And always check all the data that is not trusted.
More on validating data:
According to one of the comments solution with using urldecode on _GET variable:
<?php echo date('d-m-Y',strtotime(urldecode($_GET["thedate"])));?>
"Warning! The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results."
Source: http://php.net/manual/en/function.urldecode.php