What automatic decode routines does Apache+PHP use?

Question

While looking over the doc's for urldecode() I came across this note:

The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results.

This is the reason why a get variable with the value of %26 ends up being &. Are there any other auto-magical decode routines other than urldecode()? Perhaps decoding that is only done because of configuration or negotiation?

Answer 1

While no longer really an issue in the later builds of PHP, GET POST & COOKIES used to have quotes automatically escaped... See here for more info: http://php.net/manual/en/security.magicquotes.php

Answer 2

GET parameter decoding works actually in this sequence:

• explode("&", $QUERY_STRING)
• strtok("=") to split names from value
• urldecode() on name and value
• strtr(".", "_", $name) - non-alphanumeric characters mostly stripped from var names (a GET parameter &x.y= becomes $_GET["x_y"])
• expanding of [] array names
• addslashes() on values if magic quotes were enabled - this is the only part that's configurable

When decoding POST parameters in multipart/form-data a charset= could be set individually for each field. But I have a hunch that PHP doesn't respect that.

That is all. AFAIK