[geeklog-devel] [geeklog-cvs] Geeklog-1.x/system lib-webservices.php, 1.16, 1.17

Joe Mucchiello joe at ThrowingDice.com
Sun Nov 18 13:13:52 EST 2007

I have a potentially stupid question but why are you parsing the 
QUERY_STRING when you can just use the $_GET array to look at it?

Consider a url like http://www.example.com/webservice.php?find=can%27t.
    A dump of $_GET yields: array("find" => "can't")
    A dump of $args at the end of WS_dissectURI yields: array("find" 
=> "can%27t").

At a minimum shouldn't urldecode be called on the string before doing 
the explode()

lib-webservices.php,1.17 in WS_dissectURI()
       $uri_parts = explode('&', $_SERVER['QUERY_STRING']);
       foreach ($uri_parts as $param) {
           $uri_parts = explode('=', $param);
           $param_key = COM_applyFilter($uri_parts[0]);

Shouldn't this be
         $uri_parts = explode('&', $_SERVER['QUERY_STRING']);
         foreach ($uri_parts as $param) {
             $param = urldecode($param);  // clean up %nn fields and 
turn + signs to spaces
             if (get_magic_quotes_gpc()) {
                 $param = addslashes($param); // undone in the 
COM_stripslashes called by COM_applyFilter below
             $uri_parts = explode('=', $param, 2);  // don't lose 
equal signs in the result
             $param_key = COM_applyFilter($uri_parts[0]);

Granted, the story API doesn't need this as quotes and stuff can't 
appear in the sid. But future webservices might need to process 
parameters with quotes so this API needs to handle them correctly.

You can use a simple script like this to view the differences:

echo var_dump($_GET);
echo '<BR>"' . $_SERVER['QUERY_STRING'] . '"';

Joe Mucchiello
Throwing Dice Games

More information about the geeklog-devel mailing list