[Phpmyadmin-devel] urlencode for POST data in tbl_change.php?
Sebastian Mendel
lists at sebastianmendel.de
Fri Dec 8 16:17:25 CET 2006
Sebastian Mendel schrieb:
> Sebastian Mendel schrieb:
>> Marc Delisle schrieb:
>>> Sebastian Mendel a écrit :
>>>> Sebastian Mendel schrieb:
>>>>> Hi,
>>>>>
>>>>> is there any reason why the data is urlencoded when submitted with POST?
>>>>>
>>>>> [...]
>>>> data in forms is urlencoded by the client (browser) if submitted with
>>>> GET and automatically encoded on server
>>>>
>>>> so using urlencode results double encoded data
>>> Here is my newbie question. In the case you mention, we are using POST
>>> so is the data automatically encoded when using POST?
>> POST-data does not need encoding
>
> thats why this function is called urlencode() and not formdecode() or
> something similar ... ;-)
by the way: urldecode() should never be used on GET-params!
as GET-params are already decoded by the server
urldecode() is usefull if you handle the REQUEST-URI by hand - but not
with $_GET/_REQUET or imported (register_globals) variables
from the comments on php.net/urldecode()
Matt Johnson
26-Dec-2004 01:49
A reminder: if you are considering using urldecode() on a $_GET
variable, DON'T!
Evil PHP:
<?php
# BAD CODE! DO NOT USE!
$term = urldecode($_GET['sterm']);
?>
Good PHP:
<?php
$term = $_GET['sterm'];
?>
The webserver will arrange for $_GET to have been urldecoded once
already by the time it reaches you!
Using urldecode() on $_GET can lead to extreme badness, PARTICULARLY
when you are assuming "magic quotes" on GET is protecting you against
quoting.
Hint: script.php?sterm=%2527 [...]
PHP "receives" this as %27, which your urldecode() will convert to "'"
(the singlequote). This may be CATASTROPHIC when injecting into SQL or
some PHP functions relying on escaped quotes -- magic quotes rightly
cannot detect this and will not protect you!
This "common error" is one of the underlying causes of the Santy.A worm
which affects phpBB < 2.0.11.
--
Sebastian Mendel
www.sebastianmendel.de
More information about the Developers
mailing list