答复: [PHP]COOKIE or coding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

First thanks for Todd 's help

	I do have some questions.

	1.Open the url : http://127.0.0.1/showCookie.php
ShowCookie.php   code:
	<?php
      echo "<script>alert('" . $_COOKIE['TCSPUBLICJAUTHM'] ."');</script>"; 
	?>
		it's pop-up show :
		[TCSPUBLICJAUTHM] => USER_ID=/zhW/2QXY/GUtIN7m4 dNQ==

	2. The same window, input the string
           "javascript:alert(document.cookie);" and enter, 
	    it's pop-up show:
		[TCSPUBLICJAUTHM] => USER_ID=/zhW/2QXY/GUtIN7m4+dNQ==

So, I think it's being changed by PHP, not be HTML Decoded by Browser.

And the string in Cookie , we should be reluctant to change.








> -----Original Message-----
> From: Zhao chunliang[chunliang.zhao]
> [mailto:chunliang.zhao@xxxxxxxxxxxx]
> Sent: Wednesday, November 05, 2008 3:52 AM
> To: php-general@xxxxxxxxxxxxx
> Subject: 答复: COOKIE or coding
> 
>                    1.Open the url : http://127.0.0.1/showCookie.php
> 
>                             ShowCookie.php   code:
> 
>                                      <?php
>                                                var_dump($_COOKIE);
>                                      ?>
> 
>                             That's print:
>                                                [TCSPUBLICJAUTHM] =>
> USER_ID=/zhW/2QXY/GUtIN7m4 dNQ==
> 
>                    2. The same window, input the string
> "javascript:alert(document.cookie);" and enter, it's show :
> 
>                            That's print:
>                                             [TCSPUBLICJAUTHM] =>
> USER_ID=/zhW/2QXY/GUtIN7m4+dNQ==

Notice the "+". In certain situations in PHP, it will be HTML Decoded. This
means the "+" will turn into whitespace. Try this for an example:

index.php:
<?php
  echo $_GET['d'];
?>

Then visit http://yourhost/yourdirectory/index.php?d=Hello+World  ... it
should display "Hello World" instead of "Hello+World".

>                    3. now , I change the showCookie.php
> 
>                                      <?php
>                                                echo "<script>alert('" .
> $_COOKIE['TCSPUBLICJAUTHM'] . "');</script>";
>                                                var_dump($_COOKIE);
>                                      ?>
> 
>                              That's print:
>                                              [TCSPUBLICJAUTHM] =>
> USER_ID=/zhW/2QXY/GUtIN7m4 dNQ==

As you can see, the only difference is the "+" has been replaced by
whitespace.
 
>                    I think the cookie in php being changed.

It is, but it's not as drastic as you would think. There is an expected
behavior ("+" to " ") that you can deal with in your algorithm via
substitution, encoding, etc.

HTH,


Todd Boyd
Web Programmer

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux