Well can't answer all, but here is an answer to the easy bit. The regex you have flagged is decoding %XX hex strings into ASCII. In HTTP certain chars have special significance. Spaces are encoded as '+' and special chars in strings (like ? & = % etc) are encoded as as two hex digits with a leading %. Thus this regex is converting every instance of % plus two hex digits to the original pre-encoding ASCII. As it happens the only characters that don't need encoding are a-zA-Z0-9-_.!~*'() Everything else is encoded. For example the # char is encoded %23 as the # symbol has a hex value of 0x23.

You get soft using CGI.pm all the time and forget all the work it does for you! For a good discussion of this check out Ovid's CGI tutorial which covers query strings, encoding and decoding in some detail.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print