We have a problem in a specific server. All plus signs posted to the application are replaced with spaces - that's in POST and GET, and on all pages on that site.
As a test case I have this little page (it's an ASP server):
我们在特定服务器中遇到问题。发布到应用程序的所有加号都替换为空格 - 即POST和GET,以及该站点上的所有页面。作为测试用例,我有这个小页面(它是一个ASP服务器):
<html>
<body>
<form method="post">
<input type="text" name="Plus" id="Plus" />
<input type="submit" />
</form>
Previous Value: <%= request("Plus") %><br />
Query String: <%= request.querystring %>
</body>
</html>
On every other server this works well, but on one server pluses are replaced with spaces.
Example: for the input "1 2+3" - request("Plus") is "1 2 3", and the Query String is "1+2+3". No good. Other characters seem to be decoding correctly.
It should be said someone had tried to 'harden' this server against attacks, so obscure IIS options may be turned on (though we did remove the ISAPI filter).
Thanks.
在其他每台服务器上运行良好,但在一台服务器上,用空格替换了。示例:对于输入“1 2 + 3” - 请求(“Plus”)是“1 2 3”,查询字符串是“1 + 2 + 3”。不好。其他字符似乎正确解码。应该说有人曾试图“强化”此服务器以抵御攻击,因此可能会打开模糊的IIS选项(尽管我们确实删除了ISAPI过滤器)。谢谢。
UPDATE: It turns out there's another filter installed, the SQL Injection Filter ISAPIClipSQLInjection.dll from http://www.codeplex.com/IIS6SQLInjection .
The filter is buggy - it replaces valid characters from POST and GET:
更新:事实证明还安装了另一个过滤器,来自http://www.codeplex.com/IIS6SQLInjection的SQL注入过滤器ISAPIClipSQLInjection.dll。过滤器有问题 - 它取代了POST和GET中的有效字符:
- Plus signs are replaced with spaces: "1%2B2" -> "1+2", same as "1 2"
- Semicolons are replaced with Commas: "hello;" -> "hello,"
加号用空格代替:“1%2B2” - >“1 + 2”,与“1 2”相同
分号用逗号代替:“你好;” - >“你好,”
A newer version of the filter (2.0b) does not fix this, but allows to exclude certain pages. Since it is installed in production we decided not to remove the filter, we used javascript to change all pluses to "+ " (with space and not a semicolon).
Not the optimal solution, but that's what the boss wanted.
较新版本的过滤器(2.0b)不能解决此问题,但允许排除某些页面。由于它是在生产中安装的,我们决定不删除过滤器,我们使用javascript将所有加号更改为“+”(空格而不是分号)。不是最佳解决方案,但这就是老板想要的。
1 个解决方案
#1
Consider Ascii Code. In the place of a plus sign use its ascii code.It would be chr(43). Both asp and sql would understand this.
考虑Ascii Code。在加号的位置使用其ascii代码。它将是chr(43)。 asp和sql都能理解这一点。
here is a table with all ascii codes. http://www.asciitable.com/
这是一个包含所有ascii代码的表。 http://www.asciitable.com/
#1
Consider Ascii Code. In the place of a plus sign use its ascii code.It would be chr(43). Both asp and sql would understand this.
考虑Ascii Code。在加号的位置使用其ascii代码。它将是chr(43)。 asp和sql都能理解这一点。
here is a table with all ascii codes. http://www.asciitable.com/
这是一个包含所有ascii代码的表。 http://www.asciitable.com/