-
Notifications
You must be signed in to change notification settings - Fork 2
Jurek Muszyński edited this page Dec 19, 2021
·
8 revisions
Scans query string for param and if found, URI-decodes it, and copies its value to variable. For POST, PUT and DELETE methods it assumes query string is in payload.
QSVAL is just a typedef for C-style string, long enough to hold the value, as QS makes the check.
Returns true if param is present in query string, otherwise false.
QSVAL qs_name;
if ( QS("name", qs_name) )
OUT("<p>Welcome %s!</p>", qs_name);
QS comes in four SQL- and XSS-injection security flavours:
QS - default - behaviour depends on QS_DEF_xxx compilation switch (by default it's QS_DEF_HTML_ESCAPE).
QS_HTML_ESCAPE - value is HTML-escaped
QS_SQL_ESCAPE - value is SQL-escaped
QS_DONT_ESCAPE - value is not escaped
And the fifth one:
QS_RAW - value is not URI-decoded