%2B解码的空间,而不是一个加号 [英] %2B decoding to a space instead of a plus
问题描述
我们有一个特定的服务器出现问题。发布到应用程序的所有加号都替换空间 - 这是在POST和GET,并在该网站上的所有网页
。
作为测试情况下,我有这个小页面(这是一个ASP服务器):
We have a problem in a specific server. All plus signs posted to the application are replaced with spaces - that's in POST and GET, and on all pages on that site.
As a test case I have this little page (it's an ASP server):
<html>
<body>
<form method="post">
<input type="text" name="Plus" id="Plus" />
<input type="submit" />
</form>
Previous Value: <%= request("Plus") %><br />
Query String: <%= request.querystring %>
</body>
</html>
在所有其他的服务器这个效果很好,但对一台服务器的长处用空格代替。
例如:输入 1 2 + 3 - 请求(加)是 1 2 3 和查询字符串是 1 + 2 + 3 。不好。其他人物似乎正确解码。
应该说,有人曾试图变硬免受攻击该服务器,那么晦涩难懂IIS选项可能被打开(虽然我们没有删除ISAPI筛选器)。
谢谢你。
On every other server this works well, but on one server pluses are replaced with spaces.
Example: for the input "1 2+3" - request("Plus") is "1 2 3", and the Query String is "1+2+3". No good. Other characters seem to be decoding correctly.
It should be said someone had tried to 'harden' this server against attacks, so obscure IIS options may be turned on (though we did remove the ISAPI filter).
Thanks.
更新:
原来还有另一种安装过滤器,从SQL注入过滤ISAPIClipSQLInjection.dll HTTP://www.$c $ cplex.com / IIS6SQLInjection 。
该过滤器是马车 - 它从POST替换有效字符和GET:
UPDATE:
It turns out there's another filter installed, the SQL Injection Filter ISAPIClipSQLInjection.dll from http://www.codeplex.com/IIS6SQLInjection .
The filter is buggy - it replaces valid characters from POST and GET:
- 加号都替换为空格:1%2B2 - >1 + 2,同为1 2
- 分号都替换为逗号:你好, - >你好,
过滤器(2.0B)的新版本不解决这个问题,但允许排除某些网页。由于它安装在生产,我们决定不删除的过滤器,我们用JavaScript来改变这一切加号为&放大器;#43(空间,而不是一个分号)。
不是最佳的解决方案,但是这是老板想要的。
A newer version of the filter (2.0b) does not fix this, but allows to exclude certain pages. Since it is installed in production we decided not to remove the filter, we used javascript to change all pluses to "+ " (with space and not a semicolon).
Not the optimal solution, but that's what the boss wanted.
推荐答案
考虑Ascii码code。在一个加号的地方使用其ASCII code.It是CHR(43)。 ASP和SQL能明白这一点。
Consider Ascii Code. In the place of a plus sign use its ascii code.It would be chr(43). Both asp and sql would understand this.
在这里与所有ASCII codeS的表。
http://www.asciitable.com/
here is a table with all ascii codes. http://www.asciitable.com/
这篇关于%2B解码的空间,而不是一个加号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
