Esto es un comentario de
http://ar2.php.net/manual/en/function.urldecode.php Cita: Matt Johnson
25-Dec-2004 09:49
A reminder: if you are considering using urldecode() on a $_GET variable, DON'T!
Evil PHP:
<?php
# BAD CODE! DO NOT USE!
$term = urldecode($_GET['sterm']);
?>
Good PHP:
<?php
$term = $_GET['sterm'];
?>
The webserver will arrange for $_GET to have been urldecoded once already by the time it reaches you!
Using urldecode() on $_GET can lead to extreme badness, PARTICULARLY when you are assuming "magic quotes" on GET is protecting you against quoting.
Hint: script.php?sterm=%2527 [...]
PHP "receives" this as %27, which your urldecode() will convert to "'" (the singlequote). This may be CATASTROPHIC when injecting into SQL or some PHP functions relying on escaped quotes -- magic quotes rightly cannot detect this and will not protect you!
This "common error" is one of the underlying causes of the Santy.A worm which affects phpBB < 2.0.11.
Tambien, pero en esto no estoy tan seguro, algo parecido pasa con stripslashes(), porque por lo general, ese trabajo se hace atomaticamente por PHP (depende de la config. del php.ini).
La funcion, deberia quedear algo asi...
Código PHP:
function array_recibe($copialista) {
if (!get_magic_quotes_gpc()) {
$tmp = stripslashes($copialista);
}
$tmp = unserialize($tmp);
return $tmp;
}
Que opinan ustedes...
Saludos