答复: [PHP]COOKIE　or coding

Zhao chunliang[chunliang.zhao] Wed, 05 Nov 2008 17:47:21 -0800

First thanks for Todd 's help

        I do have some questions.


        １．Open　the url : http://127.0.0.1/showCookie.php
ShowCookie.php   code:
        <?php
      echo "<script>alert('" . $_COOKIE['TCSPUBLICJAUTHM'] ."');</script>"; 
        ?>
                it's pop-up show :
                [TCSPUBLICJAUTHM] => USER_ID=/zhW/2QXY/GUtIN7m4 dNQ==

        ２．　The same window, input the string
           "javascript:alert(document.cookie);" and enter, 
            it's pop-up show:
                [TCSPUBLICJAUTHM] => USER_ID=/zhW/2QXY/GUtIN7m4+dNQ==

So, I think it's being changed by PHP, not be HTML Decoded by Browser.

And the string in Cookie , we should be reluctant to change.








> -----Original Message-----
> From: Zhao chunliang[chunliang.zhao]
> [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, November 05, 2008 3:52 AM
> To: php-general@lists.php.net
> Subject: 答复: [PHP]COOKIE　or coding
> 
>                    １．Open　the url : http://127.0.0.1/showCookie.php
> 
>                             ShowCookie.php   code:
> 
>                                      <?php
>                                                var_dump($_COOKIE);
>                                      ?>
> 
>                             That's print:
>                                                [TCSPUBLICJAUTHM] =>
> USER_ID=/zhW/2QXY/GUtIN7m4 dNQ==
> 
>                    ２．　The same window, input the string
> "javascript:alert(document.cookie);" and enter, it's show :
> 
>                            That's print:
>                                             [TCSPUBLICJAUTHM] =>
> USER_ID=/zhW/2QXY/GUtIN7m4+dNQ==

Notice the "+". In certain situations in PHP, it will be HTML Decoded. This
means the "+" will turn into whitespace. Try this for an example:

index.php:
<?php
  echo $_GET['d'];
?>

Then visit http://yourhost/yourdirectory/index.php?d=Hello+World  ... it
should display "Hello World" instead of "Hello+World".

>                    ３．　now , I change the showCookie.php
> 
>                                      <?php
>                                                echo "<script>alert('" .
> $_COOKIE['TCSPUBLICJAUTHM'] . "');</script>";
>                                                var_dump($_COOKIE);
>                                      ?>
> 
>                              That's print:
>                                              [TCSPUBLICJAUTHM] =>
> USER_ID=/zhW/2QXY/GUtIN7m4 dNQ==

As you can see, the only difference is the "+" has been replaced by
whitespace.
 
>                    I think the cookie in php being changed.

It is, but it's not as drastic as you would think. There is an expected
behavior ("+" to " ") that you can deal with in your algorithm via
substitution, encoding, etc.

HTH,


Todd Boyd
Web Programmer

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

答复: [PHP]COOKIE or coding

Reply via email to

答复: [PHP]COOKIE　or coding