What automatic decode routines does Apache+PHP use?
While looking over the doc's for urldecode() I came across this note:
The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results.
This is the reason why a get variable with the value of %26
ends up being &
. A开发者_运维知识库re there any other auto-magical decode routines other than urldecode()
? Perhaps decoding that is only done because of configuration or negotiation?
GET parameter decoding works actually in this sequence:
- explode(
"&"
, $QUERY_STRING) - strtok(
"="
) to split names from value urldecode()
on name and valuestrtr(".", "_", $name)
- non-alphanumeric characters mostly stripped from var names (a GET parameter &x.y= becomes $_GET["x_
y"])- expanding of
[] array
names addslashes()
on values if magic quotes were enabled - this is the only part that's configurable
When decoding POST parameters in multipart/form-data a charset= could be set individually for each field. But I have a hunch that PHP doesn't respect that.
That is all. AFAIK
While no longer really an issue in the later builds of PHP, GET POST & COOKIES used to have quotes automatically escaped... See here for more info: http://php.net/manual/en/security.magicquotes.php
精彩评论