Re: 答复: [PHP]COOKIE or coding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As Todd said, PHP is decoding the URL encoded cookie. The cookie has a
'+' in it, because the HTTP headers cannot submit a space. That's why
when you use Javascript, it shows you what's in the cookie, but when you
use PHP, it shows the space. Which behavior do you prefer? If you want
to see the +, the use this:
http://us3.php.net/urlencode

Thank you,
Micah Gersten
onShore Networks
Internal Developer
http://www.onshore.com



Zhao chunliang[chunliang.zhao] wrote:
> First thanks for Todd 's help
>
> 	I do have some questions.
>
> 	1.Open the url : http://127.0.0.1/showCookie.php
> ShowCookie.php   code:
> 	<?php
>       echo "<script>alert('" . $_COOKIE['TCSPUBLICJAUTHM'] ."');</script>"; 
> 	?>
> 		it's pop-up show :
> 		[TCSPUBLICJAUTHM] => USER_ID=/zhW/2QXY/GUtIN7m4 dNQ==
>
> 	2. The same window, input the string
>            "javascript:alert(document.cookie);" and enter, 
> 	    it's pop-up show:
> 		[TCSPUBLICJAUTHM] => USER_ID=/zhW/2QXY/GUtIN7m4+dNQ==
>
> So, I think it's being changed by PHP, not be HTML Decoded by Browser.
>
> And the string in Cookie , we should be reluctant to change.
>
>
>
>
>
>
>
>
>   
>> -----Original Message-----
>> From: Zhao chunliang[chunliang.zhao]
>> [mailto:chunliang.zhao@xxxxxxxxxxxx]
>> Sent: Wednesday, November 05, 2008 3:52 AM
>> To: php-general@xxxxxxxxxxxxx
>> Subject: 答复: COOKIE or coding
>>
>>                    1.Open the url : http://127.0.0.1/showCookie.php
>>
>>                             ShowCookie.php   code:
>>
>>                                      <?php
>>                                                var_dump($_COOKIE);
>>                                      ?>
>>
>>                             That's print:
>>                                                [TCSPUBLICJAUTHM] =>
>> USER_ID=/zhW/2QXY/GUtIN7m4 dNQ==
>>
>>                    2. The same window, input the string
>> "javascript:alert(document.cookie);" and enter, it's show :
>>
>>                            That's print:
>>                                             [TCSPUBLICJAUTHM] =>
>> USER_ID=/zhW/2QXY/GUtIN7m4+dNQ==
>>     
>
> Notice the "+". In certain situations in PHP, it will be HTML Decoded. This
> means the "+" will turn into whitespace. Try this for an example:
>
> index.php:
> <?php
>   echo $_GET['d'];
> ?>
>
> Then visit http://yourhost/yourdirectory/index.php?d=Hello+World  ... it
> should display "Hello World" instead of "Hello+World".
>
>   
>>                    3. now , I change the showCookie.php
>>
>>                                      <?php
>>                                                echo "<script>alert('" .
>> $_COOKIE['TCSPUBLICJAUTHM'] . "');</script>";
>>                                                var_dump($_COOKIE);
>>                                      ?>
>>
>>                              That's print:
>>                                              [TCSPUBLICJAUTHM] =>
>> USER_ID=/zhW/2QXY/GUtIN7m4 dNQ==
>>     
>
> As you can see, the only difference is the "+" has been replaced by
> whitespace.
>  
>   
>>                    I think the cookie in php being changed.
>>     
>
> It is, but it's not as drastic as you would think. There is an expected
> behavior ("+" to " ") that you can deal with in your algorithm via
> substitution, encoding, etc.
>
> HTH,
>
>
> Todd Boyd
> Web Programmer
>
>   

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux