While overlooking the doc's for urldecode() I discovered this note:
The superglobals $_GET and $_REQUEST happen to be decoded. Using urldecode() with an aspect in $_GET or $_REQUEST might have unpredicted and harmful results.
Because of this , why a get variable with the need for
%26 eventually ends up being
&. Are there more auto-magical decode programs apart from
urldecode()? Possibly decoding that's only done due to configuration or settlement?
While no more really an problem within the later develops of PHP, GET Publish &lifier Snacks once had quotes instantly steered clear of... See here for more information: http://php.net/manual/en/security.magicquotes.php
GET parameter decoding works really within this sequence:
"=") to separate names from value
urldecode()on title and value
strtr(".", "_", $name)- non-alphanumeric figures mostly removed from var names (a GET parameter &x.y= becomes $_GET["x
- growing of
addslashes()on values if miracle quotes were enabled - this is actually the only part that's configurable
When decoding Publish parameters in multipart/form-data a charset= might be set individually for every area. But I've got a hunch that PHP does not respect that.
That's all. AFAIK