Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:54183
Return-Path: <tigger.on@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 69876 invoked from network); 25 Jul 2011 03:56:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Jul 2011 03:56:34 -0000
Authentication-Results: pb1.pair.com header.from=tigger.on@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tigger.on@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender)
X-PHP-List-Original-Sender: tigger.on@gmail.com
X-Host-Fingerprint: 74.125.82.54 mail-ww0-f54.google.com  
Received: from [74.125.82.54] ([74.125.82.54:41543] helo=mail-ww0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 58/76-07096-179EC2E4 for <internals@lists.php.net>; Sun, 24 Jul 2011 23:56:34 -0400
Received: by wwf4 with SMTP id 4so3756513wwf.11
        for <internals@lists.php.net>; Sun, 24 Jul 2011 20:56:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=cEHx+yL8ojcqFuW+X5e4fK8Jio8jNHp6JmilNSl85R4=;
        b=eSSDZbAAP7UHxTa+cchmGR2ZcUHrbQHtO+JttoRxkLmewhL2sp+QM0z/QV5nB4D1Lb
         5G9qACCovfOyTYSOcJrgt+8u+UXPluUEXfZ56+8S+J6hjS4i4Tf8E5PbneSXabMY3kgl
         EBzWk00/yo/AZhPah36iR7JQAhL5UebFDk0a8=
MIME-Version: 1.0
Received: by 10.227.61.10 with SMTP id r10mr3397985wbh.74.1311566190023; Sun,
 24 Jul 2011 20:56:30 -0700 (PDT)
Received: by 10.227.203.195 with HTTP; Sun, 24 Jul 2011 20:56:29 -0700 (PDT)
Date: Mon, 25 Jul 2011 13:56:29 +1000
Message-ID: <CA+aCQRCz2s3d-LhtiLDxR4g3EdcfKH5JYxyYs3e+8kQqqupmEw@mail.gmail.com>
To: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Consider the use of rawurldecode() on $_GET and $_REQUEST instead of urldecode()
From: tigger.on@gmail.com (Tig)

Current the following string (inside the quotes) "give me a + plz"
should be encoded correctly to "give%20me%20a%20+%20plz" when passed
as a query string.

Now when the query string is presented with $_GET['x'], the result is
"give me a   plz". Clearly wrong.

This leads to people (I'm sure I'm not the only one) using crazy hacks
to get something as simple as a query string var.

rawurlencode('give me a + plz') will produce "give%20me%20a%20%2B%20plz"
which is not "give%20me%20a%20+%20plz", but does not 'drop' the "+" when
someone types in the query string.

The following code can be used to show the error (lines may wrap):

<?php

    $str = 'give me a + plz';

    echo '
<a href="'.$_SERVER['SCRIPT_NAME'].'?qs='.$str.'">As typed by someone</a><br />
<a href="'.$_SERVER['SCRIPT_NAME'].'?qs='.urlencode($str).'">With
urlencode()</a><br />
<a href="'.$_SERVER['SCRIPT_NAME'].'?qs='.rawurlencode($str).'">With
rawurlencode()</a><br />
';

    if ($_GET['qs']) {
        echo '<p>Results:<br />
'.$_SERVER['QUERY_STRING'].' &#60; $_SERVER[QUERY_STRING]<br />
'.$_GET['qs'].' &#60; $_GET[qs]<br />
'.urldecode($_SERVER['QUERY_STRING']).' &#60;
urldecode($_SERVER[QUERY_STRING])<br />
'.rawurldecode($_SERVER['QUERY_STRING']).' &#60;
rawurldecode($_SERVER[QUERY_STRING])
</p>';
        // code to break up the query string because _GET[] is not
        // correct - NOT 100% reliable as well!!
        $tmp = explode('&',$_SERVER['QUERY_STRING']);
        foreach($tmp as $q) {
            $qs = explode('=',$q);
            for($i = 0; $i < count($qs) ; $i++) {
                $real_GET[$qs[$i]] = rawurldecode($qs[++$i]);
            }
        } // foreach

        echo '<p>
What was really passed?? Impossible to tell for sure but less likely to
be what _GET has:<br />'.$real_GET['qs'].'
</p>';

    } // _GET[qs]
?>