-
Notifications
You must be signed in to change notification settings - Fork 53
Jurek Muszyński edited this page Dec 31, 2019
·
7 revisions
Scans query string for param and if found, URI-decodes it, and copies its value to variable. For POST, PUT and DELETE methods it assumes query string is in payload.
QSVAL is just a typedef for C-style string, long enough to hold the value, as QS makes the check. By default it is 255 bytes. For longer texts see QS_TEXT.
Returns true if param is present in query string, otherwise false.
QSVAL qs_firstname;
if ( QS("firstname", qs_firstname) )
OUT("<p>Welcome %s!</p>", qs_firstname);
QS family comes in four SQL- and XSS-injection security flavours:
QS - default - behaviour depends on QS_DEF_xxx compilation switch (by default it's QS_DEF_HTML_ESCAPE).
QS_HTML_ESCAPE - value is HTML-escaped
QS_SQL_ESCAPE - value is SQL-escaped
QS_DONT_ESCAPE - value is not escaped
And the fifth one:
QS_RAW - value is not URI-decoded