> -----Original Message----- > From: Zhao chunliang[chunliang.zhao] > [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 05, 2008 3:52 AM > To: php-general@lists.php.net > Subject: 答复: [PHP]COOKIE or coding > > 1.Open the url : http://127.0.0.1/showCookie.php > > ShowCookie.php code: > > <?php > var_dump($_COOKIE); > ?> > > That's print: > [TCSPUBLICJAUTHM] => > USER_ID=/zhW/2QXY/GUtIN7m4 dNQ== > > 2. The same window, input the string > "javascript:alert(document.cookie);" and enter, it's show : > > That's print: > [TCSPUBLICJAUTHM] => > USER_ID=/zhW/2QXY/GUtIN7m4+dNQ==
Notice the "+". In certain situations in PHP, it will be HTML Decoded. This means the "+" will turn into whitespace. Try this for an example: index.php: <?php echo $_GET['d']; ?> Then visit http://yourhost/yourdirectory/index.php?d=Hello+World ... it should display "Hello World" instead of "Hello+World". > 3. now , I change the showCookie.php > > <?php > echo "<script>alert('" . > $_COOKIE['TCSPUBLICJAUTHM'] . "');</script>"; > var_dump($_COOKIE); > ?> > > That's print: > [TCSPUBLICJAUTHM] => > USER_ID=/zhW/2QXY/GUtIN7m4 dNQ== As you can see, the only difference is the "+" has been replaced by whitespace. > I think the cookie in php being changed. It is, but it's not as drastic as you would think. There is an expected behavior ("+" to " ") that you can deal with in your algorithm via substitution, encoding, etc. HTH, Todd Boyd Web Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
