Description: ------------ Square brackets considered unsafe by rfc1738 are not encoded when in variable name. Reproduce code: --------------- $var=array(1,2,3,4,5); $url=new Net_URL(); $url->addQueryString($var); echo $url->getUrl(); Expected result: ---------------- http://example.com/example.php?var[0]=1&var[1]=2&var[2]=3&var[3]=4&var[4]=5 Actual result: -------------- http://example.com/example.php?var%5B%5D=1&var%5B%5D=2&var%5B%5D=3&var%5B%5D=4&var%5B%5D=5

sorry, other way around Expected result: ---------------- http://example.com/example.php?var%5B%5D=1&var%5B%5D=2&var%5B%5D=3&var%5 B%5D=4&var%5B%5D=5 Actual result: -------------- http://example.com/example.php?var[0]=1&var[1]=2&var[2]=3&var[3]=4&var[4 ]=5

infact variable names are not encoded at all

Here's a potential patch to be applied to function Net_URL::getQueryString @@ -275,12 +275,12 @@ foreach ($this->querystring as $name => $value) { if (is_array($value)) { foreach ($value as $k => $v) { - $querystring[] = $this->useBrackets ? sprintf('%s[%s]=%s', $name, $k, $v) : ($name . '=' . $v); + $querystring[] = $this->useBrackets ? (urlencode(sprintf('%s[%s]', $name, $k)) . '=' . $v) : (urlencode($name) . '=' . $v); } } elseif (!is_null($value)) { - $querystring[] = $name . '=' . $value; + $querystring[] = urlencode($name) . '=' . $value; } else { - $querystring[] = $name; + $querystring[] = urlencode($name); } } $querystring = implode(ini_get('arg_separator.output'), $querystring); http://www.uvm.edu/~ashawley/php/Net_URL.php-bug-2334.diff-c

This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on pear.php.net. In case this was a pear.php.net website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better.