~ overflow ~

“The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results.”

Assuming that you can’t detect if the $var comes from a superglobal you would fall into this issue so:

Wrong:

$x=@gzuncompress(base64_decode(urldecode($var)));

Right:

if (strpos($var,”%”) !== false) { $var=urldecode($var); }
$x=@gzuncompress(base64_decode($var))