While looking over the doc's for urldecode() I came across this note:
The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results.
This is the reason why a get variable with the value of %26 ends up being &. A开发者_运维知识库re there any other auto-magical decode routines other than urldecode()? Perhaps decoding that is only done because of configuration or negotiation?
GET parameter decoding works actually in this sequence:
- explode(
"&", $QUERY_STRING) - strtok(
"=") to split names from value urldecode()on name and valuestrtr(".", "_", $name)- non-alphanumeric characters mostly stripped from var names (a GET parameter &x.y= becomes $_GET["x_y"])- expanding of
[] arraynames addslashes()on values if magic quotes were enabled - this is the only part that's configurable
When decoding POST parameters in multipart/form-data a charset= could be set individually for each field. But I have a hunch that PHP doesn't respect that.
That is all. AFAIK
While no longer really an issue in the later builds of PHP, GET POST & COOKIES used to have quotes automatically escaped... See here for more info: http://php.net/manual/en/security.magicquotes.php
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论