-
Notifications
You must be signed in to change notification settings - Fork 53
QS_TEXT
Jurek Muszyński edited this page Dec 31, 2019
·
1 revision
Scans query string for param and if found, URI-decodes it, and copies its value to variable. For POST, PUT and DELETE methods it assumes query string is in payload.
QSVAL_TEXT is just a typedef for C-style string, long enough to hold the value, as QS_TEXT makes the check. By default it is 64 KiB.
Returns true if param is present in query string, otherwise false.
QSVAL_TEXT comment;
if ( QS_TEXT("comment", comment) )
OUT("<div class=comm>%s</div>", comment);
QS family comes in four SQL- and XSS-injection security flavours:
QS - default - behaviour depends on QS_DEF_xxx compilation switch (by default it's QS_DEF_HTML_ESCAPE).
QS_HTML_ESCAPE - value is HTML-escaped
QS_SQL_ESCAPE - value is SQL-escaped
QS_DONT_ESCAPE - value is not escaped
And the fifth one:
QS_RAW - value is not URI-decoded