[geeklog-devel] [geeklog-cvs] Geeklog-1.x/system lib-webservices.php, 1.16, 1.17
Joe Mucchiello
joe at ThrowingDice.com
Sun Nov 18 13:13:52 EST 2007
I have a potentially stupid question but why are you parsing the
QUERY_STRING when you can just use the $_GET array to look at it?
Consider a url like http://www.example.com/webservice.php?find=can%27t.
A dump of $_GET yields: array("find" => "can't")
A dump of $args at the end of WS_dissectURI yields: array("find"
=> "can%27t").
At a minimum shouldn't urldecode be called on the string before doing
the explode()
lib-webservices.php,1.17 in WS_dissectURI()
$uri_parts = explode('&', $_SERVER['QUERY_STRING']);
foreach ($uri_parts as $param) {
$uri_parts = explode('=', $param);
$param_key = COM_applyFilter($uri_parts[0]);
Shouldn't this be
$uri_parts = explode('&', $_SERVER['QUERY_STRING']);
foreach ($uri_parts as $param) {
$param = urldecode($param); // clean up %nn fields and
turn + signs to spaces
if (get_magic_quotes_gpc()) {
$param = addslashes($param); // undone in the
COM_stripslashes called by COM_applyFilter below
}
$uri_parts = explode('=', $param, 2); // don't lose
equal signs in the result
$param_key = COM_applyFilter($uri_parts[0]);
Granted, the story API doesn't need this as quotes and stuff can't
appear in the sid. But future webservices might need to process
parameters with quotes so this API needs to handle them correctly.
You can use a simple script like this to view the differences:
<?php
echo var_dump($_GET);
echo '<BR>"' . $_SERVER['QUERY_STRING'] . '"';
?>
----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com
More information about the geeklog-devel
mailing list