8 Dec
2006
8 Dec
'06
11:13 a.m.
Hi,
is there any reason why the data is urlencoded when submitted with POST?
tbl_change.php#222:
<form method="post" action="tbl_replace.php"
name="insertForm" <?php if
($is_upload) { echo ' enctype="multipart/form-data"'; } ?>>
<?php echo PMA_generate_common_hidden_inputs($db, $table); ?>
<input type="hidden" name="goto" value="<?php echo
urlencode($goto);
?>" />
<input type="hidden" name="pos" value="<?php echo
isset($pos) ? $pos
: 0; ?>" />
<input type="hidden" name="session_max_rows"
value="<?php echo
isset($session_max_rows) ? $session_max_rows : ''; ?>" />
<input type="hidden" name="disp_direction" value="<?php
echo
isset($disp_direction) ? $disp_direction : ''; ?>" />
<input type="hidden" name="repeat_cells" value="<?php
echo
isset($repeat_cells) ? $repeat_cells : ''; ?>" />
<input type="hidden" name="dontlimitchars" value="<?php
echo
(isset($dontlimitchars) ? $dontlimitchars : 0); ?>" />
<input type="hidden" name="err_url" value="<?php echo
urlencode($err_url); ?>" />
<input type="hidden" name="sql_query" value="<?php
echo
isset($sql_query) ? urlencode($sql_query) : ''; ?>" />
this is very confusing, as GET submitted data gets automatically decoded
but not POST submitted data - and forcing an urldecode on not encoded
data could affect the sql query content
--
Sebastian Mendel
www.sebastianmendel.de
8 Dec
8 Dec
11:42 a.m.
Sebastian Mendel schrieb:
Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with
GET and automatically encoded on server
so using urlencode results double encoded data
--
Sebastian Mendel
www.sebastianmendel.de
12:28 p.m.
Sebastian Mendel a écrit :
Sebastian Mendel schrieb:
Here is my newbie question. In the case you mention, we are using POST
so is the data automatically encoded when using POST?
If yes, you are right, we should not encode it (and not decode it later
in tbl_replace.php). For example, sql_query is decoded later.
Did you find some bug with this?
Marc
Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with
GET and automatically encoded on server
so using urlencode results double encoded data
12:44 p.m.
Marc Delisle schrieb:
Sebastian Mendel a écrit :
POST-data does not need encoding
encoding is only need in GET-Request param to differ between var and
value by = and vars by & or ;, and filename and ? from the target
URL/file/script
as with POST the GET REQUEST is only the target filename (script), so
there is no need to encode the POSTed stuff
(except with htmlspecialchars() before printing out the form to the
client ;-) )
however, the client (browser) is responsible for encoding the data in a
form - whether submitted by GET or POST
and the server for decoding
i am not
only self crafted URLs need to be handled by the developer
Sebastian Mendel schrieb:
Here is my newbie question. In the case you mention, we are using POST
so is the data automatically encoded when using POST? Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with
GET and automatically encoded on server
so using urlencode results double encoded data If yes, you are right, we should not encode it (and
not decode it later
in tbl_replace.php). For example, sql_query is decoded later.
Did you find some bug with this?
not really a bug, if you not call it a bug to do things twice ...
but at least it makes overhead and complicates the source
--
Sebastian Mendel
www.sebastianmendel.de
12:52 p.m.
Sebastian Mendel schrieb:
Marc Delisle schrieb:
thats why this function is called urlencode() and not formdecode() or
something similar ... ;-)
--
Sebastian Mendel
www.sebastianmendel.de
Sebastian Mendel a écrit :
POST-data does not need encoding Sebastian Mendel schrieb:
Here is my newbie question. In the
case you mention, we are using POST
so is the data automatically encoded when using POST? Hi,
is there any reason why the data is urlencoded when submitted with POST?
[...]
data in forms is urlencoded by the client (browser) if submitted with
GET and automatically encoded on server
so using urlencode results double encoded data
1:17 p.m.
Sebastian Mendel schrieb:
Sebastian Mendel schrieb:
by the way: urldecode() should never be used on GET-params!
as GET-params are already decoded by the server
urldecode() is usefull if you handle the REQUEST-URI by hand - but not
with $_GET/_REQUET or imported (register_globals) variables
from the comments on php.net/urldecode()
Matt Johnson
26-Dec-2004 01:49
A reminder: if you are considering using urldecode() on a $_GET
variable, DON'T!
Evil PHP:
<?php
# BAD CODE! DO NOT USE!
$term = urldecode($_GET['sterm']);
?>
Good PHP:
<?php
$term = $_GET['sterm'];
?>
The webserver will arrange for $_GET to have been urldecoded once
already by the time it reaches you!
Using urldecode() on $_GET can lead to extreme badness, PARTICULARLY
when you are assuming "magic quotes" on GET is protecting you against
quoting.
Hint: script.php?sterm=%2527 [...]
PHP "receives" this as %27, which your urldecode() will convert to
"'"
(the singlequote). This may be CATASTROPHIC when injecting into SQL or
some PHP functions relying on escaped quotes -- magic quotes rightly
cannot detect this and will not protect you!
This "common error" is one of the underlying causes of the Santy.A worm
which affects phpBB < 2.0.11.
--
Sebastian Mendel
www.sebastianmendel.de
Marc Delisle schrieb:
thats why this function is called urlencode() and not formdecode() or
something similar ... ;-) Sebastian Mendel a écrit :
POST-data does not need
encoding Sebastian Mendel schrieb:
> Hi,
>
> is there any reason why the data is urlencoded when submitted with POST?
>
> [...]
data in forms is urlencoded by the client (browser) if submitted with
GET and automatically encoded on server
so using urlencode results double encoded data
Here is my newbie question. In the
case you mention, we are using POST
so is the data automatically encoded when using POST? 
11 Dec
11 Dec
10:32 a.m.
Hi
On Fri, 08 Dec 2006 14:13:16 +0100
Sebastian Mendel <lists(a)sebastianmendel.de> wrote:
is there any reason why the data is urlencoded when
submitted with POST?
IMHO no, I never understood this logic.
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
12 Dec
12 Dec
11:11 a.m.
Michal Čihař schrieb:
Hi
On Fri, 08 Dec 2006 14:13:16 +0100
Sebastian Mendel <lists(a)sebastianmendel.de> wrote:
i will remove this ...
cannot find any use for tbl_replace_fields.inc.php other than in
tbl_replace.php, right?
tbl_replace.php themselve is only used by tbl_change.php
and tbl_change.php uses only tbl_replace as form action target
so i will remove all unnecessary urlde/encode() in this files
--
Sebastian Mendel
www.sebastianmendel.de
is there any reason why the data is urlencoded
when submitted with POST?
IMHO no, I never understood this logic.
6479
days inactive
6483
days old
7 comments
3 participants
participants (3)
-
Marc Delisle -
Michal Čihař -
Sebastian Mendel