[sclug] URL encoding/decoding question
Dickon Hood
sclug at splurge.fluff.org
Sun Feb 19 18:08:58 UTC 2006
On Sun, Feb 19, 2006 at 17:32:23 +0000, Roland Turner (SCLUG) wrote:
: On the way back, you should be able to fish it out unencoded, as long as
: the form's encoding is set to message/multipart instead of url-encoded.
: (Again, the question, why are you url-encoding?)
I'm going to guess, but it's because he isn't using placeholders, and is
attempting to URL encode everything to avoid SQL-special characters. It's
the sort of thing I've done in the past for similar reasons.
Don't do this.
Read up on placeholders. They allow you to store arbitrary data without
fear of missing the occasional malicious '; DROP DATABASE;' inserted into
the SQL by some nasty person.
--
Dickon Hood
Due to digital rights management, my .sig is temporarily unavailable.
Normal service will be resumed as soon as possible. We apologise for the
inconvenience in the meantime.
No virus was found in this outgoing message as I didn't bother looking.
More information about the Sclug
mailing list