Sebastian Mendel schrieb:
Sebastian Mendel schrieb:
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Sebastian Mendel schrieb:
Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with GET and automatically encoded on server
so using urlencode results double encoded data
Here is my newbie question. In the case you mention, we are using POST so is the data automatically encoded when using POST?
POST-data does not need encoding
thats why this function is called urlencode() and not formdecode() or something similar ... ;-)
by the way: urldecode() should never be used on GET-params!
as GET-params are already decoded by the server
urldecode() is usefull if you handle the REQUEST-URI by hand - but not with $_GET/_REQUET or imported (register_globals) variables
from the comments on php.net/urldecode()
Matt Johnson 26-Dec-2004 01:49 A reminder: if you are considering using urldecode() on a $_GET variable, DON'T!
Evil PHP:
<?php # BAD CODE! DO NOT USE! $term = urldecode($_GET['sterm']); ?>
Good PHP:
<?php $term = $_GET['sterm']; ?>
The webserver will arrange for $_GET to have been urldecoded once already by the time it reaches you!
Using urldecode() on $_GET can lead to extreme badness, PARTICULARLY when you are assuming "magic quotes" on GET is protecting you against quoting.
Hint: script.php?sterm=%2527 [...]
PHP "receives" this as %27, which your urldecode() will convert to "'" (the singlequote). This may be CATASTROPHIC when injecting into SQL or some PHP functions relying on escaped quotes -- magic quotes rightly cannot detect this and will not protect you!
This "common error" is one of the underlying causes of the Santy.A worm which affects phpBB < 2.0.11.