ID: 39078 User updated by: main at springtimesoftware dot com Reported By: main at springtimesoftware dot com -Status: Bogus +Status: Open Bug Type: Feature/Change Request Operating System: Windows XP PHP Version: 5.1.6 New Comment:
I'm not sure I'm following you. Section "Reserved:" in RFC 1738 (at http://www.freesoft.org/CIE/RFC/1738/4.htm) states: ---- Thus, only alphanumerics, the special characters "$-_.+!*'(),", and reserved characters used for their reserved purposes may be used unencoded within a URL. ---- Since "+" is listed, I would expect that any agent that obeyed this RFC would transmit "+" unchanged. That means that Apache should transmit "+" unchanged to PHP. This is why I would be surprised to find that Apache is the cause of this problem. Indeed, if I browse (using IE 6.0) to a Web page that contains a call to phpinfo(), browsing using a URL that contains the argument "Arg=+%20", then phpinfo() reports that _SERVER["QUERY_STRING"] has the value "Arg=+%20". (I just did this, I'm not making this up.) This confirms that the plus sign is getting to PHP okay. So wouldn't you agree with me that Apache cannot be causing this problem? PHP must be using urldecode() when it parses the arguments into the $_GET array, yes? Otherwise, how would the plus sign in the argument become a space? David Previous Comments: ------------------------------------------------------------------------ [2006-10-07 22:15:37] [EMAIL PROTECTED] It's not hard to believe... it's what the RFC states: http://www.freesoft.org/CIE/RFC/1738/4.htm, read the section "unsafe". ------------------------------------------------------------------------ [2006-10-07 21:44:08] main at springtimesoftware dot com So you are saying that this problem is definitely in Apache, not in PHP? You are saying that Apache converts plus signs into spaces? Please confirm this, it is hard to believe. David ------------------------------------------------------------------------ [2006-10-07 21:39:53] [EMAIL PROTECTED] PHP receives POST/GET data from Apache in decoded form, so if Javascript doesn't encode "+" sign, we can't fix it or even change it in anyway. ------------------------------------------------------------------------ [2006-10-07 21:02:10] main at springtimesoftware dot com Oops, I should have said that escape('+ ') gives '+%20'. On the PHP side, the "+" is considered an alias for " ", so the script sees " " (urldecode converts "+" into " " and "%20" into " "). I stand by the wording in the feature request. David ------------------------------------------------------------------------ [2006-10-07 20:58:17] main at springtimesoftware dot com The JavaScript escape function does not do what the urlencode function does. If it did, then escape on the JavaScript side would match urldecode on the PHP side, and this problem would not exist. If you apply escape to "+ ", you get "+ ". On the PHP side, PHP automatically applies urldecode, and you get " ". So, the problem is that plus sign does not get through to the PHP script. Is that clear now? David ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/39078 -- Edit this bug report at http://bugs.php.net/?id=39078&edit=1