[thelist] QUERY_STRING_UNESCAPED question
Keith
cache at dowebs.com
Thu Nov 29 18:33:25 CST 2001
Hi gang
Can anyone tell me why QUERY_STRING_UNESCAPED echos
the & sign as a space " " even if it is hex encoded %26? The
peculiar treatment the # gets is understandable, but what's so
special with the & sign? Or is this an Apache thing (I'm using 1.3.20
and find references to problems with QSU in much earlier
versions)?
The reason I'm asking is that an ssi included file receives the
QUERY_STRING_UNESCAPED but does not receive the
escaped QUERY_STRING, making it impossible to send a value
such as "me&you" unless you use a workaround to pass the
QUERY_STRING instead. If & is a security problem in the shell,
what kind of security hole is then opened up by using a workaround?
TIA
keith
More information about the thelist
mailing list