<?
$script = "/cgi-bin/hr-bin/index.cgi";

$QSTRING = $QUERY_STRING;

if (isset($HTTP_POST_VARS)) {
    while (list ($header, $value) = each ($HTTP_POST_VARS)) { 
        $QSTRING = $QSTRING.'&'.$header.'='.$value; 
    }
}

virtual($script.'?'.$QSTRING);
?>
[download]

perl -e '$cat = "cat"; if ($cat =~ /\143\x61\x74/) { print "Its a cat!
+\n"; } else { print "Thats a dog\n"; } print "\n";'
[download]

use CGI qw( escape );
#[...]
if (isset($HTTP_POST_VARS)) {
    while (list ($header, $value) = each ($HTTP_POST_VARS)) { 
        $QSTRING = $QSTRING.'&'.$header.'='.escape($value);
    }                       # I added this: ^^^^^^^      ^
}
[download]

You might also need to escape the $header.

Update: jryan points out that I've used a Perl module to update your PHP code. Perhaps someone can pipe up with the way to URL-encode values in PHP or you can just use the original, still-escaped query string instead of rebuilding it from the now-unescaped parameter values.

        - tye (but my friends call me "Tye")

In case people wonder what the PHP equivalent of CGI's escape is, it's urlencode. So if we PHP-ify tye's code it might go a little something like this

$QSTRING =  $QUERY_STRING;
$hpv     =& $HTTP_POST_VARS;
if(is_array($hpv) && count($hpv) > 0)
    foreach($hpv as $key => $value)
        $QSTRING .= '&'.$key.'='.urlencode($value);
[download]


HTH

broquaint

I think your problem lies in the fact that you're not escaping URL-special characters (ie, probably ';', though I don't remember off the top of my head). I don't really know PHP but I have to believe they have a better way of building a query string than how you're doing it. At the very least, I'm sure PHP supplies a function to URL-encode data. Use that.

bbfu
Seasons don't fear The Reaper.
Nor do the wind, the sun, and the rain.
We can be like they are.