Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:5059
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Date: Wed, 29 Oct 2003 08:49:34 +0100 (=?X-UNKNOWN?Q?Westeurop=E4ische_Normalzeit?=)
To: internals@lists.php.net
Message-ID: <Pine.WNT.4.58.0310290849240.3976@acer-r63r3m7yu4>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] Re: header() behaviour (fwd)
From: sascha@schumann.cx (Sascha Schumann)

On Tue, 28 Oct 2003, Rasmus Lerdorf wrote:

> On Wed, 29 Oct 2003, Christian Schneider wrote:
>
> > Gareth Ardron wrote:
> > > $var = "foo=1&amp;bar=2";
> >
> > To clarify:
> > You should use $var = "foo=1&bar=2"; and then $var for header() but
> > htmlspecialchar($var) for your href:
> > - HTTP-Headers must not be html-encoded.
> > - HTML-Attributes on the other hand have to be html-encoded.
> >
> > Even though most browsers work with hrefs without html-encoding and some
> > browsers might understand &amp; in HTTP-Headers this is not conforming
> > to the standards.
>
> Actually, &amp; is the way you need to write it if you are going to be
> perfectly standards-compliant.

    That is correct for URLs in HTML.  It is incorrect for HTTP headers
    (there is no entity decoding involved).

> It's just that nobody does this.

    Really?  My applications supply their own php.ini and always
    contain

        arg_separator.output = "&amp;"

    which is also listed in php.ini-dist.

> You can
> make PHP understand this by setting the separator in your php.ini file to
> &amp;

    Nope, input separators are always one character wide.

    - Sascha