[Phpmyadmin-devel] urlencode for POST data in tbl_change.php?

[Sebastian Mendel]

Sebastian Mendel schrieb:
> Sebastian Mendel schrieb:
>> Marc Delisle schrieb:
>>> Sebastian Mendel a écrit :
>>>> Sebastian Mendel schrieb:
>>>>> Hi,
>>>>>
>>>>> is there any reason why the data is urlencoded when submitted with POST?
>>>>>
>>>>> [...]
>>>> data in forms is urlencoded by the client (browser) if submitted with
>>>> GET and automatically encoded on server
>>>>
>>>> so using urlencode results double encoded data
>>> Here is my newbie question. In the case you mention, we are using POST 
>>> so is the data automatically encoded when using POST?
>> POST-data does not need encoding
> 
> thats why this function is called urlencode() and not formdecode() or
> something similar ... ;-)

by the way: urldecode() should never be used on GET-params!

as GET-params are already decoded by the server

urldecode() is usefull if you handle the REQUEST-URI by hand - but not
with $_GET/_REQUET or imported (register_globals) variables


from the comments on php.net/urldecode()

 Matt Johnson
26-Dec-2004 01:49
A reminder: if you are considering using urldecode() on a $_GET
variable, DON'T!

Evil PHP:

<?php
# BAD CODE! DO NOT USE!
$term = urldecode($_GET['sterm']);
?>

Good PHP:

<?php
$term = $_GET['sterm'];
?>

The webserver will arrange for $_GET to have been urldecoded once
already by the time it reaches you!

Using urldecode() on $_GET can lead to extreme badness, PARTICULARLY
when you are assuming "magic quotes" on GET is protecting you against
quoting.

Hint: script.php?sterm=%2527 [...]

PHP "receives" this as %27, which your urldecode() will convert to "'"
(the singlequote). This may be CATASTROPHIC when injecting into SQL or
some PHP functions relying on escaped quotes -- magic quotes rightly
cannot detect this and will not protect you!

This "common error" is one of the underlying causes of the Santy.A worm
which affects phpBB < 2.0.11.



-- 
Sebastian Mendel

www.sebastianmendel.de