Hi,
is there any reason why the data is urlencoded when submitted with POST?
tbl_change.php#222:
<form method="post" action="tbl_replace.php" name="insertForm" <?php if ($is_upload) { echo ' enctype="multipart/form-data"'; } ?>> <?php echo PMA_generate_common_hidden_inputs($db, $table); ?> <input type="hidden" name="goto" value="<?php echo urlencode($goto); ?>" /> <input type="hidden" name="pos" value="<?php echo isset($pos) ? $pos : 0; ?>" /> <input type="hidden" name="session_max_rows" value="<?php echo isset($session_max_rows) ? $session_max_rows : ''; ?>" /> <input type="hidden" name="disp_direction" value="<?php echo isset($disp_direction) ? $disp_direction : ''; ?>" /> <input type="hidden" name="repeat_cells" value="<?php echo isset($repeat_cells) ? $repeat_cells : ''; ?>" /> <input type="hidden" name="dontlimitchars" value="<?php echo (isset($dontlimitchars) ? $dontlimitchars : 0); ?>" /> <input type="hidden" name="err_url" value="<?php echo urlencode($err_url); ?>" /> <input type="hidden" name="sql_query" value="<?php echo isset($sql_query) ? urlencode($sql_query) : ''; ?>" />
this is very confusing, as GET submitted data gets automatically decoded but not POST submitted data - and forcing an urldecode on not encoded data could affect the sql query content
Sebastian Mendel schrieb:
Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with GET and automatically encoded on server
so using urlencode results double encoded data
Sebastian Mendel a écrit :
Sebastian Mendel schrieb:
Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with GET and automatically encoded on server
so using urlencode results double encoded data
Here is my newbie question. In the case you mention, we are using POST so is the data automatically encoded when using POST?
If yes, you are right, we should not encode it (and not decode it later in tbl_replace.php). For example, sql_query is decoded later.
Did you find some bug with this?
Marc
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Sebastian Mendel schrieb:
Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with GET and automatically encoded on server
so using urlencode results double encoded data
Here is my newbie question. In the case you mention, we are using POST so is the data automatically encoded when using POST?
POST-data does not need encoding
encoding is only need in GET-Request param to differ between var and value by = and vars by & or ;, and filename and ? from the target URL/file/script
as with POST the GET REQUEST is only the target filename (script), so there is no need to encode the POSTed stuff
(except with htmlspecialchars() before printing out the form to the client ;-) )
however, the client (browser) is responsible for encoding the data in a form - whether submitted by GET or POST
and the server for decoding
i am not
only self crafted URLs need to be handled by the developer
If yes, you are right, we should not encode it (and not decode it later in tbl_replace.php). For example, sql_query is decoded later.
Did you find some bug with this?
not really a bug, if you not call it a bug to do things twice ...
but at least it makes overhead and complicates the source
Sebastian Mendel schrieb:
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Sebastian Mendel schrieb:
Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with GET and automatically encoded on server
so using urlencode results double encoded data
Here is my newbie question. In the case you mention, we are using POST so is the data automatically encoded when using POST?
POST-data does not need encoding
thats why this function is called urlencode() and not formdecode() or something similar ... ;-)
Sebastian Mendel schrieb:
Sebastian Mendel schrieb:
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Sebastian Mendel schrieb:
Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with GET and automatically encoded on server
so using urlencode results double encoded data
Here is my newbie question. In the case you mention, we are using POST so is the data automatically encoded when using POST?
POST-data does not need encoding
thats why this function is called urlencode() and not formdecode() or something similar ... ;-)
by the way: urldecode() should never be used on GET-params!
as GET-params are already decoded by the server
urldecode() is usefull if you handle the REQUEST-URI by hand - but not with $_GET/_REQUET or imported (register_globals) variables
from the comments on php.net/urldecode()
Matt Johnson 26-Dec-2004 01:49 A reminder: if you are considering using urldecode() on a $_GET variable, DON'T!
Evil PHP:
<?php # BAD CODE! DO NOT USE! $term = urldecode($_GET['sterm']); ?>
Good PHP:
<?php $term = $_GET['sterm']; ?>
The webserver will arrange for $_GET to have been urldecoded once already by the time it reaches you!
Using urldecode() on $_GET can lead to extreme badness, PARTICULARLY when you are assuming "magic quotes" on GET is protecting you against quoting.
Hint: script.php?sterm=%2527 [...]
PHP "receives" this as %27, which your urldecode() will convert to "'" (the singlequote). This may be CATASTROPHIC when injecting into SQL or some PHP functions relying on escaped quotes -- magic quotes rightly cannot detect this and will not protect you!
This "common error" is one of the underlying causes of the Santy.A worm which affects phpBB < 2.0.11.
Hi
On Fri, 08 Dec 2006 14:13:16 +0100 Sebastian Mendel lists@sebastianmendel.de wrote:
is there any reason why the data is urlencoded when submitted with POST?
IMHO no, I never understood this logic.
Michal Čihař schrieb:
Hi
On Fri, 08 Dec 2006 14:13:16 +0100 Sebastian Mendel lists@sebastianmendel.de wrote:
is there any reason why the data is urlencoded when submitted with POST?
IMHO no, I never understood this logic.
i will remove this ...
cannot find any use for tbl_replace_fields.inc.php other than in tbl_replace.php, right?
tbl_replace.php themselve is only used by tbl_change.php
and tbl_change.php uses only tbl_replace as form action target
so i will remove all unnecessary urlde/encode() in this files
-
Marc Delisle -
Michal Čihař -
Sebastian Mendel