I'll use the string to decrypt, so that I want to they are the same. When I use 'urlencode', some other string will be changed. Like '/' Thanks very much!! >> -----Original Message----- As Todd said, PHP is decoding the URL encoded cookie. The cookie has a '+' in it, because the HTTP headers cannot submit a space. That's why when you use Javascript, it shows you what's in the cookie, but when you use PHP, it shows the space. Which behavior do you prefer? If you want to see the +, the use this: http://us3.php.net/urlencode Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Zhao chunliang[chunliang.zhao] wrote: > First thanks for Todd 's help > > I do have some questions. > > 1.Open the url : http://127.0.0.1/showCookie.php > ShowCookie.php code: > <?php > echo "<script>alert('" . $_COOKIE['TCSPUBLICJAUTHM'] ."');</script>"; > ?> > it's pop-up show : > [TCSPUBLICJAUTHM] => USER_ID=/zhW/2QXY/GUtIN7m4 dNQ== > > 2. The same window, input the string > "javascript:alert(document.cookie);" and enter, > it's pop-up show: > [TCSPUBLICJAUTHM] => USER_ID=/zhW/2QXY/GUtIN7m4+dNQ== > > So, I think it's being changed by PHP, not be HTML Decoded by Browser. > > And the string in Cookie , we should be reluctant to change. > > > > > > > > > >> -----Original Message----- >> From: Zhao chunliang[chunliang.zhao] >> [mailto:chunliang.zhao@xxxxxxxxxxxx] >> Sent: Wednesday, November 05, 2008 3:52 AM >> To: php-general@xxxxxxxxxxxxx >> Subject: 答复: COOKIE or coding >> >> 1.Open the url : http://127.0.0.1/showCookie.php >> >> ShowCookie.php code: >> >> <?php >> var_dump($_COOKIE); >> ?> >> >> That's print: >> [TCSPUBLICJAUTHM] => >> USER_ID=/zhW/2QXY/GUtIN7m4 dNQ== >> >> 2. The same window, input the string >> "javascript:alert(document.cookie);" and enter, it's show : >> >> That's print: >> [TCSPUBLICJAUTHM] => >> USER_ID=/zhW/2QXY/GUtIN7m4+dNQ== >> > > Notice the "+". In certain situations in PHP, it will be HTML Decoded. This > means the "+" will turn into whitespace. Try this for an example: > > index.php: > <?php > echo $_GET['d']; > ?> > > Then visit http://yourhost/yourdirectory/index.php?d=Hello+World ... it > should display "Hello World" instead of "Hello+World". > > >> 3. now , I change the showCookie.php >> >> <?php >> echo "<script>alert('" . >> $_COOKIE['TCSPUBLICJAUTHM'] . "');</script>"; >> var_dump($_COOKIE); >> ?> >> >> That's print: >> [TCSPUBLICJAUTHM] => >> USER_ID=/zhW/2QXY/GUtIN7m4 dNQ== >> > > As you can see, the only difference is the "+" has been replaced by > whitespace. > > >> I think the cookie in php being changed. >> > > It is, but it's not as drastic as you would think. There is an expected > behavior ("+" to " ") that you can deal with in your algorithm via > substitution, encoding, etc. > > HTH, > > > Todd Boyd > Web Programmer > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
