Good point about making sure it gets decoded properly. I do have control over the JS in this instance and started to do that (changing the hash to calculate pre-encoding), but I stopped for three reasons. 1) I encode the string in a JS function piece by piece, then calculate the hash once it's all pieced together. So I'd need to piece together a non-encoded string as well, then hash that. It's a lot of work, and is in a handful of files (pure laziness). JS code snippet below. 2) I'm not sure I'll always have control over the input like that. 3) I was hoping to handle it with Perl for ease. 
    var jData = {request:{'service':'ins_task_queue'},data:[]};
    $('[name=remote_download_id]:checked').each(function(){
        remote_download_id         = $(this).val();
        var here = $(this).siblings();
        var tmpObj = {};
        tmpObj['remote_download_id'] = remote_download_id;
        $.each($(this).siblings(),function(k,v){
-->            tmpObj[here[k].name] = encodeURIComponent(here[k].value
+);
        });
        here = $(this).parent().siblings().children(':input');
        $.each($(this).parent().siblings().children(':input'),function
+(k,v){
-->            tmpObj[here[k].name] = encodeURIComponent(here[k].value
+);
        });
        jData['data'].push(tmpObj);
    });

...

[download]
PHP parts: 
    public function getRequest($request,$data,$response_type){
        $reqData['request']['service']     = $request;
        $reqData['data']         = $data;
        $fields = array(
            'data' => json_encode($reqData)
            , 'xyz' => $xyz
            , 'abc' => $abc
        );
        $fields['api_key'] = getApiKey($fields);
        global $debug;
        $debug = $fields;
        return getSvc($fields);
    }

function getApiKey($fields){
    return hash_hmac('sha512',$fields['data'].$fields['abc'].$fields['
+xyz'],$GLOBALS['ses_secret_key']);
}

[download]

In reply to Re^2: CGI Input with Escaped Characters by hoyt
in thread CGI Input with Escaped Characters by hoyt

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.