[geeklog-devel] [geeklog-cvs] Geeklog-1.x/system lib-webservices.php, 1.16, 1.17

[Dirk Haun]

Joe Mucchiello wrote:

>I have a potentially stupid question but why are you parsing the 
>QUERY_STRING when you can just use the $_GET array to look at it?

Because we also need to parse it in POST, PUT, and DELETE requests. For
example, a story is POSTed to the URL /webservices/atom/?plugin=story


>At a minimum shouldn't urldecode be called on the string before doing 
>the explode()

You may be right there. I had it somewhere in the back of my mind never
to use urldecode on URLs because of security issues that may open up.
But I may be confusing this with the contents of $_GET, as explained in e.g.
<http://www.php.net/manual/en/function.urldecode.php#48481>

Need to double-check ...

bye, Dirk


-- 
http://www.geeklog.net/
http://geeklog.info/