> -----Original Message----- > From: Jochem Maas [mailto:jochem@xxxxxxxxxxxxx] > Sent: Monday, January 14, 2008 8:34 PM > To: Andrés Robinet > Cc: php-general@xxxxxxxxxxxxx > Subject: Re: $_GET and multiple spaces. > > Andrés Robinet schreef: > >> -----Original Message----- > >> From: Richard Lynch [mailto:ceo@xxxxxxxxx] > >> Sent: Monday, January 14, 2008 7:08 PM > >> To: Andrés Robinet > >> Cc: php-general@xxxxxxxxxxxxx > >> Subject: RE: $_GET and multiple spaces. > >> > >> On Mon, January 14, 2008 1:33 pm, Andrés Robinet wrote: > >>>> -----Original Message----- > >>>> From: Richard Lynch [mailto:ceo@xxxxxxxxx] > >>>> Sent: Monday, January 14, 2008 2:11 PM > >>>> To: Jochem Maas > >>>> Cc: clive; Churchill, Craig; php-general@xxxxxxxxxxxxx > >>>> Subject: Re: $_GET and multiple spaces. > >>>> > >>>> On Mon, January 14, 2008 3:17 am, Jochem Maas wrote: > >>>>> I think actually the whole url should be urlencoded as a matter > of > >>>>> course, not > >>>>> 100% sure about this (and it's way to early on a monday to bother > >>>>> checking up ;-) ... > >>>>> maybe someone else can chime in? > >>>> Actually, after you urlencode() the values, you should > htmlentities > >>>> the whole URL, as it is being passed to HTML as a value to be > output > >>>> to HTML. > >>>> > >>>> The whole URL should *NOT* be URL-encoded, however. > >>>> > >>>> -- > >>>> Some people have a "gift" link here. > >>>> Know what I want? > >>>> I want you to buy a CD from some indie artist. > >>>> http://cdbaby.com/from/lynch > >>>> Yeah, I get a buck. So? > >>> Like this? > >>> > >>> $url = > >>> > >> > htmlspecialchars('whatever.php?'.urlencode($name).'='.urlencode($value) > >> ); > >> > >> Yes, but if your $name is weird enough to need to be urlencoded, you > >> probably are doing something "Wrong" from a stylistic programming > >> stand-point... > >> > >> I'm not even sure of the rules for what can be in a $name, come to > >> think of it... > >> > > > > I think I can tell you what... it has just came to my mind (nirvana > > moment)... how about this? > > > > $name = 'mylist[myindex]'; > > this is almost an invite to moan about how http_build_query() was > 'fixed' > in 5.1.3 to escape square brackets ... which makes php nolonger do one > of > the coolest, imho, with regard to incoming GET/POST values - namely > auto-convert > bracketed request var names into native arrays. at least if those > strings > are used in anything other than a URL context (form inputs anyone). > I would have been nice to have the encoding as an optional > switch/argument. Well, almost... the other part of the world that arguably wanted square brackets escaped in http_build_query will be very pleased (let me tell you I don't use http_build_query, but have my own as sometimes PHP 5 is not an option...). I guess they thought http_build_query would always be used in an URL context. But yes... escaping square brackets could be made optional and we get the best of both worlds. Anyway... my point was that names may need escaping, at least in some contexts. But let me ask you because maybe I'm wrong: <a href="index.php?list%5Bindex%5D=value">Click</a> Wouldn't this be translating into $_GET['list']['index'] == 'value'? As far as I've tested, it is... Also, it seems that "[" and "]" are unsafe characters according to http://www.ietf.org/rfc/rfc1738.txt "Unsafe: Characters can be unsafe for a number of reasons. The space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs. The characters "<" and ">" are unsafe because they are used as the delimiters around URLs in free text; the quote mark (""") is used to delimit URLs in some systems. The character "#" is unsafe and should always be encoded because it is used in World Wide Web and in other systems to delimit a URL from a fragment/anchor identifier that might follow it. The character "%" is unsafe because it is used for encodings of other characters. Other characters are unsafe because gateways and other transport agents are known to sometimes modify such characters. These characters are "{", "}", "|", "\", "^", "~", "[", "]", and "`". All unsafe characters must always be encoded within a URL...." Maybe that's why they chose to escape square brackets. I'm not a standards freak, but rather a pragmatic man. Just trying to prove a point. > > /* since php5.1.3 http_build_query() urlencodes square brackets - > this does not please us at all, > * this function fixes the problem the encoding causes us when > using http_build_query() output > * in hidden INPUT field names. > */ > function inputPostQueryUnBorker($s) > { > // first version - slower? more code! > /* > return preg_replace('#(\?|&(?:amp;)?)([^=]*)=#eU', > "'\\1'.str_replace(array('%5B','%5D'), > array('[',']'), '\\2').'='", > $s); > //*/ > > // second version - faster? more compact! (should work > identically to the above statement. > return preg_replace('#%5[bd](?=[^&]*=)#ei', > 'urldecode("\\0")', $s); > } Thanks a lot! I'll surely give it a try. > > > > >> -- > >> Some people have a "gift" link here. > >> Know what I want? > >> I want you to buy a CD from some indie artist. > >> http://cdbaby.com/from/lynch > >> Yeah, I get a buck. So? > > > > Regards, > > > > Rob > > > > > > Andrés Robinet | Lead Developer | BESTPLACE CORPORATION > > 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, > FL 33308 > > | TEL 954-607-4207 | FAX 954-337-2695 > > Email: info@xxxxxxxxxxxxx | MSN Chat: best@xxxxxxxxxxxxx | SKYPE: > > bestplace | Web: http://www.bestplace.biz | Web: http://www.seo- > diy.com > > Regards, Rob Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | TEL 954-607-4207 | FAX 954-337-2695 Email: info@xxxxxxxxxxxxx | MSN Chat: best@xxxxxxxxxxxxx | SKYPE: bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
