On Tue, Dec 06, 2005 at 12:05:10PM -0800, Mark Steudel wrote:
Lets say I have the following:
Before I go further:
htmlentities - escapes the output for html
urlencode- escapes the output for a url
Current URL: http://www.domain.com/page.php?action=list
http://www.domain.com/page.php?action=listtop=/page.php?action=listid=3
top=/page.php?action=listid=3
$top = $_SERVER['PHP_SELF'].'?'.$_SERVER['argv']['0']
- Be careful when using PHP_SELF, probably not a factor here but
consider if someone requested /page.php/foobar?action
PHP_SELF will be 'page.php/foobar
- $_REQUEST['argv']... well there isn't any such requested
variabled.
Now I want to create a URL with a return link in it
a href='.$_SERVER['PHP_SELF'].'?action=addamp;return='.$top.' Add
Something /a
Should I use htmlentites on $top first?
no.. your are defining a url paremeter, so you should escape for a url
Second let's say instead of constructing a link I want to use a header and
redirect someone
header(location: page.php?action=addreturn=.$top );
So do I use urlencode here?
yes, cause your are defining a url parameter.
Lets say I have something that has been htmlentitied, and I want to use a
header command, do I htmlentitydecode and then urlencode?
Lets say i open a bottle of wine for someone, should I take the
first sip and say yes this is a good wine or not, or let them taste
and decide.
I wonder this cause, well, i wonder why the url has anything to do
with htmlentities, cause it doesn't.. all it needs to know is that
what it is sending is ok (urlencoded). The url doesn't care what the
application did prior to sending the data.
Hopefully to explain my first thoughts:
1. htmlentities should only be applied when outputing data that
will be interpreted as html.
ie: echoing to the browser.
2. urlencode should be used when outputing data that will be
interpreted within a url.
ie: making an href or header('Location: ') call, in otherwords
defining data being sent via http.
HTH,
Curt.
--
cat .signature: No such file or directory
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php