Coding | Coding when it comes to URL coding, you might think of a URL coding bug that was n years old. Unfortunately, I was "untimely" Ah, I contact the network, the loophole has long been extinct.
Anyway, what is URL coding? Look at the definition I copied from the Internet:
References: URL encoding is a format that browsers use to package form input. The browser takes all the name and the values from the form, encodes them as a name/value parameter (removing those that cannot be transferred, ranking the data, and so on) as part of the URL or sending it to the server in isolation. In either case, the form input format on the server side looks like this:
Thename=ichabod+crane&gender=male&status=missing&headless=yes
URL encoding follows the following rules: Each pair of name/value is separated by A & character, and each pair of name/value from the form is separated by the = character. If the user does not enter a value for this name, then the name appears, but no value. Any special characters (that is, those that are not simple seven-bit ASCII, such as Chinese characters) will be encoded in hexadecimal with a percent character, including, of course, the special characters such as =,,, and%.
Oh, understand it, in fact, URL encoding is a character ASCII hex. However, there are some changes that need to be preceded by the words "%". such as "\", its ASCII code is 92,92 hexadecimal is 5c, so "\" The URL code is%5c. What about the URL encoding of Chinese characters? Very simply, see example: "Hu" ASCII code is-17670, hexadecimal is bafa,url encoding is "%BA%FA". Oh, know how to change the bar.
URL encoding is usually not used, because IE will automatically convert your input to the address bar of the non-numeric letter into the URL code. So for browsers http://blog.csdn.net/l%61ke2 is equivalent to http://blog.csdn.net/lake2 (note that I replaced a with%61 for the first URL). Oh, perhaps you have remembered, someone proposed the database name bring "#" to prevent being downloaded, because IE encountered # will ignore the letter behind. The cracking method is simple-replace the # with URL-coded%23. I tried to dodge the injection by using URL coding, but failed because the server side would convert the URL encoding to characters.
Wait, seems to be off the topic Ah, oh, sorry:
SQL injections are now very popular, so someone wrote some anti injection scripts. Of course, the idea is not the same, the effect is very different. Ladies and gentlemen Reader please see the following xxsql generic anti-injection ASP section code.
Fy_url=request.servervariables ("Query_string")
Fy_a=split (Fy_url, "&")
ReDim Fy_cs (UBound (fy_a))
On Error Resume Next
For fy_x=0 to UBound (fy_a)
Fy_cs (fy_x) = Left (Fy_a (fy_x), InStr (Fy_a (fy_x), "=")-1)
Next
For fy_x=0 to UBound (Fy_cs)
If Fy_cs (fy_x) <> "" Then
If Instr (LCase (Fy_cs (fy_x)), "and" <>0 Then
Response.Write "There is an error! "
Response.End
End If
End If
Next
The idea is to get the submitted data first, to "&" for the demarcation of the Name/value group, and then to determine whether the value contains a defined keyword (here for simplicity, I only left "and"), which is the injection.
At first glance, value is checked, and there seems to be no problem. Oh, yes, value will not be a problem, but, name?
Its Name/value group value comes from Request.ServerVariables ("query_string"), hehe, sorry, there is a problem here. Request.ServerVariables ("Query_string") is a client-submitted string, this does not automatically convert URL encoding, haha, if we put the name URL code to submit again, oh, that can bypass the check. For example, if the parameter is Ph4nt0m=lake2 and LIS0, the program can detect it, and if the%50h4nt0m=lake2 and Lis0 (URL-coded to P) is submitted, the program will judge the value of%50h4nt0m, and% 50h4nt0m is converted to ph4nt0m, so the%50h4nt0m value is empty, so the detection is bypassed.
Wait, why can't the value be bypassed since name does not decode to bypass the check? Because value is taken from the request (Fy_cs (fy_x)), the server decodes it.
How does the program improve? As long as it is possible to get the data submitted by the client is decoded, it is OK to change the statement that gets the name to each submitname in Request.QueryString.
