[geeklog-devel] [geeklog-cvs] Geeklog-1.x/system lib-webservices.php, 1.16, 1.17

[Dirk Haun]

Joe Mucchiello wrote:


>I have a potentially stupid question but why are you parsing the 

>QUERY_STRING when you can just use the $_GET array to look at it?


Because we also need to parse it in POST, PUT, and DELETE requests. For
example, a story is POSTed to the URL /webservices/atom/?plugin=story



>At a minimum shouldn't urldecode be called on the string before doing 

>the explode()


You may be right there. I had it somewhere in the back of my mind never
to use urldecode on URLs because of security issues that may open up.
But I may be confusing this with the contents of $_GET, as explained in e.g.
<http://www.php.net/manual/en/function.urldecode.php#48481>

Need to double-check ...

bye, Dirk


-- 
http://www.geeklog.net/
http://geeklog.info/