[PHP] base64-encoding in cookies?

[Fletcher Mattox]

Hi,

A campus web server (not under my control) returns an authentication
string in a cookie named AUTH.  The cookie's value is an encrypted,
base64 encoded string.  Unfortunately, when I examine $_COOKIE['AUTH'],
it is clear that all of the '+' characters have been replaced with a ' ' 
character in the base64 string.  Why is this?  Obviously, this corrupts
the data and makes it impossible to base64-decode the string correctly.
I believe this is a php issue and not, say, an apache issue because a
perl program can correctly authenticate the same cookie based on perl's
$ENV{'HTTP_COOKIE'}.  i.e., the perl cookie contains the original '+'.
Does anyone know how to make php (v5.1.5) do the right thing with base64
encoded cookies?

Thanks
Fletcher

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] base64-encoding in cookies?

[Fletcher Mattox]

I wrote:

> A campus web server (not under my control) returns an authentication
> string in a cookie named AUTH.  The cookie's value is an encrypted,
> base64 encoded string.  Unfortunately, when I examine $_COOKIE['AUTH'],
> it is clear that all of the '+' characters have been replaced with a ' ' 
> character in the base64 string.  Why is this?  Obviously, this corrupts
> the data and makes it impossible to base64-decode the string correctly.
> I believe this is a php issue and not, say, an apache issue because a
> perl program can correctly authenticate the same cookie based on perl's
> $ENV{'HTTP_COOKIE'}.  i.e., the perl cookie contains the original '+'.
> Does anyone know how to make php (v5.1.5) do the right thing with base64
> encoded cookies?

This problem seems to be 

http://bugs.php.net/bug.php?id=35523

where it was dismissed as "Bogus" without any explanation why.  It seems
that '+' characters are intentionally converted to spaces in all cookies.
This makes no sense to me.  Can someone explain it?

Thanks,
Fletcher

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] base64-encoding in cookies?

[Fletcher Mattox]

Thanks everyone, and especially TG, for taking time to reply to my
question.  I have learned that apparently PHP silently runs urldecode()
on all cookies before copying them into the $_COOKIE variable, under
the assumption that all cookies have been urlencoded.

This seems like a bad assumption to me, and is perhaps an attempt to be
consistent with $_GET and $_REQUEST, which as Brad points out, have to
be url encoded.  But cookies aren't urls.  I thought their purpose was
to transfer data transparently, but maybe I am wrong about that.

If this is documented anywhere, I sure couldn't find it.

Morale: always get your cookies from $_SERVER["HTTP_COOKIE"], and *not*
from $_COOKIE.

Thanks again,
Fletcher

-Original Message-

> From [EMAIL PROTECTED]  Wed Feb  7 14:21:14 2007
> To: 
> From: <[EMAIL PROTECTED]>
> Subject: RE: [PHP] base64-encoding in cookies?
> 
> Exactly what I was going to mention, Brad.  Here's some more info.
> 
> Quoted from PHP manual for urlencode():
> 
> "Returns a string in which all non-alphanumeric characters except -_. have 
> been replaced with a percent (%) sign followed by two hex digits and spaces 
> encoded as plus (+) signs. It is encoded the same way that the posted data 
> from a WWW form is encoded, that is the same way as in 
> application/x-www-form-urlencoded media type. This differs from the RFC1738 
> encoding (see rawurlencode()) in that for historical reasons, spaces are 
> encoded as plus (+) signs."
> 
> Try this:
> 
> $space = " ";
> 
> echo "Urlencoded: " . urlencode($space) . "\n";
> echo "Rawurlencoded: " . rawurlencode($space) . "\n";
> 
> And you get:
> 
> Urlencoded: +
> Rawurlencoded: %20
> 
> If the only issue the OP is having is that the spaces are being transformed 
> from + to  then maybe just do a urlencode($_COOKIE['AUTH']) and try 
> doing the base64 decode off of that.  This assumes that urlencode() Doesn't 
> mangle other data in the cookie data.
> 
> Or a string replace " " to "+".
> 
> Kind of a non-technical answer, so maybe there's a better way to do this.  
> Maybe a setting in apache or PHP.  Don't really have time to research it 
> right now, just wanted to point out the urlencode() and rawurlencode() info.
> 
> PHP manual pages here:
> 
> http://us3.php.net/manual/en/function.urlencode.php
> http://us2.php.net/manual/en/function.rawurlencode.php
> 
> -TG
> 
> = = = Original message = = =
> 
> > -Original Message-
> > From: Fletcher Mattox [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, February 07, 2007 2:49 PM
> > To: php-general@lists.php.net
> > Subject: Re: [PHP] base64-encoding in cookies?
> > 
> > I wrote:
> > 
> > > A campus web server (not under my control) returns an authentication
> > > string in a cookie named AUTH.  The cookie's value is an encrypted,
> > > base64 encoded string.  Unfortunately, when I examine $_COOKIE['AUTH'],
> > > it is clear that all of the '+' characters have been replaced with a ' '
> > > character in the base64 string.  Why is this?  Obviously, this corrupts
> > > the data and makes it impossible to base64-decode the string correctly.
> > > I believe this is a php issue and not, say, an apache issue because a
> > > perl program can correctly authenticate the same cookie based on perl's
> > > $ENV'HTTP_COOKIE'.  i.e., the perl cookie contains the original '+'.
> > > Does anyone know how to make php (v5.1.5) do the right thing with base64
> > > encoded cookies?
> > 
> > This problem seems to be
> > 
> > ~http://bugs.php.net/bug.php?id=35523
> > 
> > where it was dismissed as "Bogus" without any explanation why.  It seems
> > that '+' characters are intentionally converted to spaces in all cookies.
> > This makes no sense to me.  Can someone explain it?
> > 
> > Thanks,
> > Fletcher
> > 
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> > 
> 
> Could it have something to do with url encoding?
> 
> For example:
> http://example.com/page.php?foo=ABC+123
> 
> echo $_GET['foo']; // should produce: ABC 123
> 
> http://example.com/page.php?foo=ABC%2B123
> 
> echo $_GET['foo']; // should produce: ABC+123
> 
> HTH,
> 
> Brad
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 
> ___
> Sent by ePrompter, the premier email notification software.
> Free download at http://www.ePrompter.com.
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] base64-encoding in cookies?

[Fletcher Mattox]

Jon Anderson writes:

> Cookies must be encoded somehow: Because a raw cookie will contain 
> "var=val; expires=time; path=/path/" type stuff, PHP would *have* to 
> encode it. 

I don't mean to be thick, Jon, but I don't understand why it has to be
encoded at all.  Are you saying that the "path=/path/" has to be encoded?
Well, ok (I don't entirely understand that either), but why encode
the "val"?  "val" can be arbitrary data and shoud be left uninterpreted,
in my opinion.

> If a user runs "setcookie('mycookie','this is my cookie; have 
> a bite!');", PHP has to pick some kind of encoding, and urlencoding 
> makes the most sense given its similarities to GET and POST.

Yes, it does seem like PHP does this because it wants to treat cookies
similarly to GET and POST urls.  But cookies are intrinsically different,
it seems to me.  In particular, they are not urls.

> Since PHP urlencodes values it sets, it follows logically that it would 
> also urldecode values it retrieves.

But there many other applications which are not written in PHP, nor is
there a standard which specifies url encoding for cookies as far as I know
(if there is, then all bets are off--I'm wrong, and I will go away :)).
Shouldn't PHP be designed to interoperate with these applications?

> If you don't want PHP's automagic cookie handling you can do it manually 
> as well with header('Set-Cookie: ...') and $_SERVER['HTTP_COOKIE'] on 
> the other end - which I believe is what you decided on.

Yep.  But is this fact documented somewhere?  I missed it.

Fletcher
  

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] base64-encoding in cookies?

[Fletcher Mattox]

Robert Cummings writes:

> On Thu, 2007-02-08 at 13:51 -0600, Fletcher Mattox wrote:
> > Jon Anderson writes:
> > 
> > > Cookies must be encoded somehow: Because a raw cookie will contain 
> > > "var=val; expires=time; path=/path/" type stuff, PHP would *have* to 
> > > encode it. 
> > 
> > I don't mean to be thick, Jon, but I don't understand why it has to be
> > encoded at all.  Are you saying that the "path=/path/" has to be encoded?
> > Well, ok (I don't entirely understand that either), but why encode
> > the "val"?  "val" can be arbitrary data and shoud be left uninterpreted,
> > in my opinion.
> 
> If val can be any value then it can also be:
> 
> expires=time; path=/path/ 
> 
> Obviously, that would be an issue since that's part of the cookie
> parameters. As such, it needs to be encoded. Now go away!
> 
> :)

I would argue that if someone were to embed these parameters inside
a cookie's "value" parameter, then they lose all rights to the original
semantics.  But this is getting silly.

I find it interesting that nobody has been able to cite a standard
or even point to documentation of this "feature".

Fletcher

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] base64-encoding in cookies?

[Fletcher Mattox]

Robert Cummings writes:

> Dear numnutz, get off your lazy arse and read the doc for yourself:
>
> http://wp.netscape.com/newsref/std/cookie_spec.html
> 
> It clearly states:
> 
> NAME=VALUE
> This string is a sequence of characters excluding semi-colon, comma and
> white space. If there is a need to place such data in the name or value,
> some encoding method such as URL style %XX encoding is recommended,
> though no encoding is defined or required.
> 
> There, it left the encoding up to whoever is decoding it. Now feel free
> to take your troll ass and hide under a bridge someplace.

Actually, wouldn't you say it is left up to whoever is sending the cookie?
But more on that later.

Here is my point of view, if you are interested.  When the specification
for a language reads "encoding is recommended, but not required", then
it is leaving the decision to encode or not to encode up to the sender.
The sender is in the driver's seat and the receiver must follow suite.
(Side note: this is an inherently BAD specification since it requires
out-of-band agreement between the sender and receiver, and this is what
puts the developers of PHP in such a tough position.)  The receiver must
be able to handle either case.  But PHP does not permit this.  Instead,
PHP, in an attempt to avoid the chaos inherent a bad spec, has made the
decision for the sender.  The sender must encode, and has no choice.
I think this is at the root of my frustration.  I want control. :)
Also, keep in mind that in my case the sender is a third party over
whom I have no control.  Given a spec like this, I prefer cooperation
between sender and receiver rather than a decision by fiat made by the
programming language.

Now that I have seen the spec (thank you!), I can at least understand
why the PHP developers made the decision they did.  I still disagree
with it, but I was seeking only an understanding, and I have found that.
I hope you will agree I was not trolling here.

Oh.  One more thought.  If you wish to argue that PHP does provide
for both cases with $_COOKIE and $_SERVER['HTTP_COOKIE'], then I will
grudgingly agree with you.  See we can agree. :)  In that case, all I ask
is for a little documentation.  Is the distinction in these two variables
documented somewhere?  I have looked and looked and have come up empty.
I am asking this question with humility and sincerity.  I am asking it
because I honestly wish to learn.  I think you have misjudged my motives
and my character.

Thank you,
Fletcher

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] base64-encoding in cookies?

[Fletcher Mattox]

Robert Cummings writes:

> But isn't the sender and receiver usually one and the same. I mean your
> PHP application is usually what set the cookie in the first place. Then
> you receive it in the very same PHP application. 

No!  Not in this case.  The first sentence in my original message was:

"A campus web server (not under my control) returns an
authentication string in a cookie named AUTH."

Rob, is this why you are giving me such a hard time?  Do you think I
wrote the code which set the cookie?

The application which originated the cookie runs on a computer across
campus, and was written by our ITS department.  I work in the CS
department.  I have no access to that application.  I don't even know
which language it is written in.  Given this information, would you be
comfortable asking ITS to change their code just to make my application
happy?  I wouldn't.

> > Also, keep in mind that in my case the sender is a third party over
> > whom I have no control.  Given a spec like this, I prefer cooperation
> > between sender and receiver rather than a decision by fiat made by the
> > programming language.
> 
> Ah, so you have a mixed language environment. Well you can use the
> header() function to send the cookie header yourself. 

As I keep trying to say, I am not sending the cookie.  I do not have
that option.

> This allows you
> control over the sending. You can also use  apache_request_headers() to
> get full control over the incoming request headers.

Ah.  Interesting.  I was not aware of that function.  Thanks.

> > Oh.  One more thought.  If you wish to argue that PHP does provide
> > for both cases with $_COOKIE and $_SERVER['HTTP_COOKIE'], then I will
> 
> I'm not aware of a $_SERVER['HTTP_COOKIE'] field. Perhaps you meant
> $GLOBALS['HTTP_COOKIE_VARS']? If so, it is identical to $_COOKIE with
> $GLOBALS['HTTP_COOKIE_VARS'] being deprecated.

$_SERVER fields are dependent on your http server.  My server (apache)
provides HTTP_COOKIE.  Perhaps yours does not?

> > grudgingly agree with you.  See we can agree. :)  In that case, all I ask
> > is for a little documentation.  Is the distinction in these two variables
> > documented somewhere?  I have looked and looked and have come up empty.
> > I am asking this question with humility and sincerity.  I am asking it
> > because I honestly wish to learn.  I think you have misjudged my motives
> > and my character.
> 
> http://www.php.net/manual/en/function.header.php
> http://www.php.net/manual/en/function.apache-response-headers.php

Thanks for the pointers, but my request is for documentation of the fact
that $COOKIE has been urldecoded().  Do you know where that documentation
lives?

Say, I just noticed RFC 2965.  It essentially agrees with the Netscape
document on this matter, but it words it a little more clearly:

The VALUE is opaque to the user agent and may be anything the
origin server chooses to send, possibly in a server-selected
printable ASCII encoding. 

The server is in control.  The encoding, if any, is decided by the server.
No question about it.  In my case, the server decided not to encode.

In my opinion, PHP has done me a disservice by "decoding" (corrupting)
that value, putting it in the $_COOKIE variable and then not clearly
documenting it.

Does anyone else see my point here, or am I way off base here?

Fletcher

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] base64-encoding in cookies?

[Fletcher Mattox]

Jon Anderson writes:

> I won't argue that this behavior should probably be documented with 
> $_COOKIE, but it is documented with it's counterpart, setcookie: "Note 
> that the value portion of the cookie will automatically be urlencoded 
> when you send the cookie, and when it is received, it is automatically 
> decoded and assigned to a variable by the same name as the cookie name. 

Bingo!  Thank you, thank you, thank you.  This is exactly what I have
been missing all along.  It is not where I would have looked for it,
but I guess now I'll have to stop complaining it does not exist.

> If you don't want this, you can use setrawcookie() 

I wonder why PHP doesn't have a corresponding variable, $_RAWCOOKIE, to be
used with setrawcookie()?  That would have solved my problem.

>  instead if you 
> are using PHP 5."
> 
> In terms of the behavior, I think it makes total sense. The only case 
> where it would ever bite you is yours (which is rare because most people 
> wouldn't mix perl and PHP in the same system). 

I am beginning to understand why I am having so much trouble convincing
folks here that my problem is real.  Everyone seems to assume that cookies
are used only to communicate between one web application and a browser.
Perhaps my situation is rare.  It doesn't seem very rare to me.  :)

> I think some of the negativity aimed at you stems from the fact that the 
> behavior has been explained and is quite clear. > There isn't much point 
> in arguing what it should be. It is exactly what it is. If you want to 
> argue what the behavior should be, try php-dev. (Making that kind of 
> argument here is like yelling at your neighbor 'cause Vista 
> sucks...assuming Bill Gates isn't your neighbor. :-)

Point taken.  Maybe I *should* go to php-dev.  However, I fear they would
be an even harder sell than you guys.  :)  And life is too short for that.
Thanks, Jon, for a very insightful message.

Fletcher

Ps - if I were to go to php-dev, I think I would lobby for the addition of
a new global variable: $_RAWCOOKIE.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] array help

[Fletcher Mattox]

How does one represent a MySQL table as a two dimensional array
using the column names as one of the indices?  My naive attempt
went something like this:

while ($row = mysqli_fetch_assoc($result))
$table[] = $row;

but that generated this error;

Fatal error: [] operator not supported for strings

Ok.  So then I try to explicitly assign each row, like this:

while ($row = mysqli_fetch_assoc($result))
$table[$i++] = $row;

While that generates no error, $table contains nothing useful when
I'm done.  So then I try to assign each row and column, like this:

while ($row = mysqli_fetch_assoc($result)) {
foreach ( $row as $col => $val)
$table[$i][$col] = $val;
$i++;
}

And that got me this error:

Fatal error: Cannot use string offset as an array 

So clearly my understanding of PHP arrays is lacking.
Please help.

Thanks
Fletcher

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] array help

[Fletcher Mattox]

Rob writes:

> Did you bother to initialize $table as an array() or are you another
> lazy slob of a programmer that expects the engine to read your mind
> (cluttered as that may be)?

Bingo.  

You seem to have no trouble reading my mind, why can't php? :)
Years of perl programming has promoted a certain sloth in my character.
It manifests in many different insidious forms.  Ask my wife.

Thanks!
Fletcher "lazy slob" Mattox

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php