Re: "QUERY_STRING beast" Was "CGI ???"

Darren New ([email protected])
Fri, 17 Nov 1995 17:27:54 +0000


> Some of the "ugliness" in the CGI standard arises from security
> concerns. Escaped characters exist in part to prevent processes on
> various systems from choking on characters that are special to those
> processes, and, therefore, to make CGI robust across many platforms.

Actually, I thought CGI stuff was escaped because it's basically
URL-like, and URLs are escaped so they are easy to read/print/etc.
Nothing to do with security.

> The QUERY_STRING may be empty and certainly does not need to be
> a "beast" if client data is dispatched with method POST -- the
> *recommended* way.

Well, you could certainly make the server decode the URL escapes instead
of the CGI script, but that doesn't mean having the CGI script do it is
somehow wrong.