[thelist] QUERY_STRING_UNESCAPED question

Keith cache at dowebs.com
Thu Nov 29 18:33:25 CST 2001

Hi gang

Can anyone tell me why QUERY_STRING_UNESCAPED echos 
the & sign as a space " " even if it is hex encoded %26? The 
peculiar treatment the # gets is understandable, but what's so 
special with the & sign? Or is this an Apache thing (I'm using 1.3.20 
and find references to problems with QSU in much earlier 

The reason I'm asking is that an ssi included file receives the 
QUERY_STRING_UNESCAPED but does not receive the 
escaped QUERY_STRING, making it impossible to send a value 
such as "me&you" unless you use a workaround to pass the 
QUERY_STRING instead. If & is a security problem in the shell, 
what kind of security hole is then opened up by using a workaround?



More information about the thelist mailing list