We should always sanitize $_GET anyway. Just assume that ; is always used to separate stuff. Which is the case, anyway...
Occasionally though, SMF uses '&', as in the SID injector, and I don't know what it's there for. I'm assuming this is to 'emulate' enable_trans_sid being set to 1. Because I guess some servers won't allow you to use ini_set, if it's at 1, then it automatically injects & at the end of the SID and then you end up with two different URL styles to deal with -- ?PHPSESSID=...; and ?PHPSESSID=...& -- so they chose to inject & and deal with it later (which I don't believe they do...)
I for one couldn't care less about that, but I suppose we should deal with it overall?
Yes, & is passed into SID, and I think you're probably right that it is related to handling enable_trans_sid.
Dealing with it is the big problem. How, exactly, do we proceed? I'm in no doubt the current situation is not ideal. But I'm not sure the other situations are any better either.
I hope you liked the name I chose for the setting :lol:
Although I'm never one to refuse SID! But only if it's C64-related
The same could be said of a session ID. If I have my forum running on 3 different browsers, should Wedge say I have 3 users online...? For debugging purpose it's fine. What about Googlebot? Sometimes you get many requests from the same IP IIRC. Because they're all using different sessions, Wedge considers them as multiple bots. I for one would rather see it recognized as a single 'user'.
If you have two different sessions from Google, that's two different bots browsing, and should be reflected as such, despite maybe coming from separate - or the same - IP addresses. Here's the thing, even now you cannot rely on an IP address being reflective of a single bot.
Two bots from Google browsing, with two sessions, will typically have two IP addresses. Though it won't always be that way.
It should always be there in homepage links (index.php). And never elsewhere.