[nycphp-talk] Converting hex?
Flavio daCosta
nyphp at n0p.net
Wed Sep 6 11:11:41 EDT 2006
On 09/06/2006 11:00 AM, Flavio daCosta wrote:
> On 09/06/2006 10:34 AM, Jeff Loiselle wrote:
>> $response = str_replace('\x', '%', $response);
>> $response = urldecode($response);
>
> Note: If one relies on (icky) "magic_quotes_gpc = On" (who does this
> anymore, right?) you could get '\x27' in your request that, after the
> above two lines, would be an unescaped '
Ha, If I would have _read_ the whole thread, I would have seen that
'\x27' is exactly what you were trying to work with. Sorry, it's just
that 'urldecode' is one of the _dangerous_ functions that I watch for
when auditing code and it jumped out at me in your earlier post.
More information about the talk
mailing list