While overlooking the doc's for urldecode() I discovered this note:

The superglobals $_GET and $_REQUEST happen to be decoded. Using urldecode() with an aspect in $_GET or $_REQUEST might have unpredicted and harmful results.

Because of this , why a get variable with the need for %26 eventually ends up being &. Are there more auto-magical decode programs apart from urldecode()? Possibly decoding that's only done due to configuration or settlement?

While no more really an problem within the later develops of PHP, GET Publish &lifier Snacks once had quotes instantly steered clear of... See here for more information: http://php.net/manual/en/security.magicquotes.php

GET parameter decoding works really within this sequence:

  • explode("&", $QUERY_STRING)
  • strtok("=") to separate names from value
  • urldecode() on title and value
  • strtr(".", "_", $name) - non-alphanumeric figures mostly removed from var names (a GET parameter &x.y= becomes $_GET["x_y"])
  • growing of [] array names
  • addslashes() on values if miracle quotes were enabled - this is actually the only part that's configurable

When decoding Publish parameters in multipart/form-data a charset= might be set individually for every area. But I've got a hunch that PHP does not respect that.

That's all. AFAIK