%2B解码为空格而不是加号 [英] %2B decoding to a space instead of a plus
问题描述
我们在特定服务器中有问题。发布到应用程序的所有加号被替换为空格 - 即POST和GET以及该站点上的所有页面。
作为测试用例,我有这个小页面(它是一个ASP服务器):
We have a problem in a specific server. All plus signs posted to the application are replaced with spaces - that's in POST and GET, and on all pages on that site.
As a test case I have this little page (it's an ASP server):
<html>
<body>
<form method="post">
<input type="text" name="Plus" id="Plus" />
<input type="submit" />
</form>
Previous Value: <%= request("Plus") %><br />
Query String: <%= request.querystring %>
</body>
</html>
在其他服务器上运行良好,但在一个服务器上,空格被替换为空格。
示例:输入 1 2 + 3 - 请求(Plus)为 1 2 3 ,查询字符串为 1 + 2 + 3 。不好。其他角色似乎正在正确解码。
应该说有人试图'硬化'这个服务器来攻击,所以晦涩的IIS选项可能会打开(尽管我们删除了ISAPI筛选器)
谢谢。
On every other server this works well, but on one server pluses are replaced with spaces.
Example: for the input "1 2+3" - request("Plus") is "1 2 3", and the Query String is "1+2+3". No good. Other characters seem to be decoding correctly.
It should be said someone had tried to 'harden' this server against attacks, so obscure IIS options may be turned on (though we did remove the ISAPI filter).
Thanks.
更新:
原来安装了另一个过滤器,SQL从 http://www.codeplex.com/IIS6SQLInjection 注入过滤器ISAPIClipSQLInjection.dll。
过滤器是错误的 - 它替换POST和GET中的有效字符:
UPDATE:
It turns out there's another filter installed, the SQL Injection Filter ISAPIClipSQLInjection.dll from http://www.codeplex.com/IIS6SQLInjection .
The filter is buggy - it replaces valid characters from POST and GET:
- 加号用空格替换:1%2B2 - >1 + 2,与1 2相同
- 分号用逗号替换:hello; - >你好,
较新版本的过滤器(2.0b)无法解决此问题,但允许排除某些页面。由于它是在生产中安装的,我们决定不删除过滤器,我们使用javascript将所有优点更改为&#43(空格而不是分号)。
不是最佳解决方案,而是老板想要的。
A newer version of the filter (2.0b) does not fix this, but allows to exclude certain pages. Since it is installed in production we decided not to remove the filter, we used javascript to change all pluses to "+ " (with space and not a semicolon).
Not the optimal solution, but that's what the boss wanted.
推荐答案
考虑Ascii代码。在加号的地方使用它的ascii代码。它将是chr(43)。 asp和sql都可以理解这一点。
Consider Ascii Code. In the place of a plus sign use its ascii code.It would be chr(43). Both asp and sql would understand this.
这里是一个包含所有ASCII码的表格。
http://www.asciitable.com/
here is a table with all ascii codes. http://www.asciitable.com/
这篇关于%2B解码为空格而不是加号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
