Bug #2334 :: square brackets in var names are not encoded

Package home | Report new bug | New search | Development Roadmap

Status: Open | Feedback | All | Closed Since Version 1.0.15

Bug #2334	square brackets in var names are not encoded
Submitted:	2004-09-15 03:26 UTC
From:	alexei at net24 dot co dot nz	Assigned:	richard
Status:	Closed	Package:	Net_URL
PHP Version:	5.0.1	OS:	freebsd
Roadmaps:	(Not assigned)
Subscription	Your email:

Comments Add Comment Add patch

[2004-09-15 03:26 UTC] alexei at net24 dot co dot nz

Description:
------------
Square brackets considered unsafe by rfc1738 are not
encoded when in variable name.

Reproduce code:
---------------
$var=array(1,2,3,4,5);
$url=new Net_URL();
$url->addQueryString($var);
echo $url->getUrl();




Expected result:
----------------
http://example.com/example.php?var[0]=1&var[1]=2&var[2]=3&var[3]=4&var[4]=5

Actual result:
--------------
http://example.com/example.php?var%5B%5D=1&var%5B%5D=2&var%5B%5D=3&var%5B%5D=4&var%5B%5D=5

Comments

[2004-09-15 03:27 UTC] alexei at net24 dot co dot nz

sorry, other way around

Expected result:
----------------
http://example.com/example.php?var%5B%5D=1&var%5B%5D=2&var%5B%5D=3&var%5
B%5D=4&var%5B%5D=5

Actual result:
--------------
http://example.com/example.php?var[0]=1&var[1]=2&var[2]=3&var[3]=4&var[4
]=5

[2004-09-15 03:35 UTC] alexei at net24 dot co dot nz

infact variable names are not encoded at all

[2004-10-11 21:03 UTC] aaron dot hawley at uvm dot edu

Here's a potential patch to be applied to function Net_URL::getQueryString

@@ -275,12 +275,12 @@
             foreach ($this->querystring as $name => $value) {
                 if (is_array($value)) {
                     foreach ($value as $k => $v) {
-                        $querystring[] = $this->useBrackets ? sprintf('%s[%s]=%s', $name, $k, $v) : ($name . '=' . $v);
+                        $querystring[] = $this->useBrackets ? (urlencode(sprintf('%s[%s]', $name, $k)) . '=' . $v) : (urlencode($name) . '=' . $v);
                     }
                 } elseif (!is_null($value)) {
-                    $querystring[] = $name . '=' . $value;
+                    $querystring[] = urlencode($name) . '=' . $value;
                 } else {
-                    $querystring[] = $name;
+                    $querystring[] = urlencode($name);
                 }
             }
             $querystring = implode(ini_get('arg_separator.output'), $querystring);

http://www.uvm.edu/~ashawley/php/Net_URL.php-bug-2334.diff-c

[2005-03-02 03:41 UTC] User who submitted this comment has not confirmed identity

If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!