[thelist] QUERY_STRING_UNESCAPED question

Keith cache at dowebs.com
Thu Nov 29 18:33:25 CST 2001


Hi gang

Can anyone tell me why QUERY_STRING_UNESCAPED echos 
the & sign as a space " " even if it is hex encoded %26? The 
peculiar treatment the # gets is understandable, but what's so 
special with the & sign? Or is this an Apache thing (I'm using 1.3.20 
and find references to problems with QSU in much earlier 
versions)?

The reason I'm asking is that an ssi included file receives the 
QUERY_STRING_UNESCAPED but does not receive the 
escaped QUERY_STRING, making it impossible to send a value 
such as "me&you" unless you use a workaround to pass the 
QUERY_STRING instead. If & is a security problem in the shell, 
what kind of security hole is then opened up by using a workaround?

TIA

keith






More information about the thelist mailing list