散列查询字符串包含不工作的特殊字符 [英] Hashing Query String containing Special Characters not working
问题描述
我已经张贴了关于令牌和密码重置几个问题,并设法弄清楚终于出这一切。谢谢大家!
I have posted few questions about Tokens and Password reset and have managed to finally figure this all out. Thanks everyone!
所以,读某些字符不会在查询字符串之前的工作,我决定散列查询字符串但你已经猜到,在的加号被剥离出来的。
So before reading that certain characters will not work in a query string, I decided to hash the query string but as you've guessed, the plus signs are stripped out.
你怎么保证或哈希查询字符串?
How do you secure or hash a query string?
这是我收到一个公司的电子邮件样本和字符串看起来是这样的:
This is a sample from a company email I received and the string looks like this:
AweVZe-LujIAuh8i9HiXMCNDIRXfSZYv14o4KX0KywJAGlLklGC1hSw-bJWCYfia-pkBbessPNKtQQ&t=pr&ifl
在我的设置,我只需使用GUID。但是有什么关系?
In my setup, I am simply using a GUID. But does it matter?
在我的情况,用户不能访问密码页面,即使没有GIUD。这是因为页面设置为重定向的onload如果查询字符串不会话变量相匹配?
In my scenario the user cannot access the password page, even without a GIUD. That's because the page is set to redirect onload if the query string don't match the session variable?
是否有办法来处理查询字符串给结果像上面?
Are there ways to handle query string to give the result like above?
这个问题是更多的获取知识。
This question is more about acquiring knowledge.
更新:
下面是哈希code:
public static string QueryStringHash(string input)
{
byte[] inputBytes = Encoding.UTF8.GetBytes();
SHA512Managed sha512 = new SHA512Managed();
byte[] outputBytes = sha512.ComputeHash(inputBytes);
return Convert.ToBase64String(outputBytes);
}
然后我通过HASH(用户ID),一个会话发送它作为查询字符串之前:
在下一页,会话HASH是不一样的查询而导致的值不匹配和呈现查询串无效。
Then I pass the HASH (UserID) to a SESSION before sending it as a query string: On the next page, the Session HASH is not the same as the Query which cause the values not to match and rendered the query string invalid.
注意:我创建了一个名为级加密处理所有哈希和加密
Note: I created a Class called Encryption that handles all the Hash and Encryption.
Session["QueryString"] = Encryption.QueryStringHash(UserID);
Response.Redirect("~/public/reset-password.aspx?uprl=" +
HttpUtility.UrlEncode(Session["QueryString"].ToString()));
的我也试过这个页面,但没有运气上提到的所有内容:的
<一个href=\"http://stackoverflow.com/questions/1517586/how-do-i-replace-all-the-spaces-with-20-in-c-sharp\">How做我更换所有有20%的空间在C#
感谢您的阅读。
推荐答案
的问题是,base64编码使用'+'和'/'字符,它们在URL中的特殊含义。如果你想为Base64 EN code查询参数,你必须改变这些字符。 ' - '和'_'(破折号和下划线),分别为的 RFC 4648 。
The problem is that base64 encoding uses the '+' and '/' characters, which have special meaning in URLs. If you want to base64 encode query parameters, you have to change those characters. Typically, that's done by replacing the '+' and '/' with '-' and '_' (dash and underline), respectively, as specified in RFC 4648.
在您的code,那么,你应该这样做:
In your code, then, you'd do this:
public static string QueryStringHash(string input)
{
byte[] inputBytes = Encoding.UTF8.GetBytes();
SHA512Managed sha512 = new SHA512Managed();
byte[] outputBytes = sha512.ComputeHash(inputBytes);
string b64 = Convert.ToBase64String(outputBytes);
b64 = b64.Replace('+', '-');
return b64.Replace('/', '_');
}
在接收端,当然,你需要更换' - ',与和'_'对应'+'和'/'调用该方法从基地64转换前
On the receiving end, of course, you'll need to replace the '-' and '_' with the corresponding '+' and '/' before calling the method to convert from base 64.
他们建议不使用填充字符('='),但如果你这样做,它应该是URL连接codeD。有没有需要沟通填充字符,如果你总是知道你的连接codeD串有多长。您可以在接收端添加所需的填充字符。但是,如果你能有可变长度的字符串,那么你就需要填充字符。
They recommend not using the pad character ('='), but if you do, it should be URL encoded. There's no need to communicate the pad character if you always know how long your encoded strings are. You can add the required pad characters on the receiving end. But if you can have variable length strings, then you'll need the pad character.
您看到的查询参数使用base 64编码的任何时间,这是它是如何做。这是所有的地方,也许是最常用的YouTube影片ID。
Any time you see base 64 encoding used in query parameters, this is how it's done. It's all over the place, perhaps most commonly in YouTube video IDs.
这篇关于散列查询字符串包含不工作的特殊字符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
