CHR (9), CHR (10), CHR (13), CHR (32), CHR (34)
All tables about ASCII code: [url] http://www.asciitable.com/ [/url]
CHR (13) is a car Enter
CHR (10) is a replacement symbol
CHR (32) is a space character
9/34 is TAB, not determined?
Here are some lists
Special space character
Special space character
In ASP programming, we often use Trim (RTRIM, LTRIM) functions to remove the beginning and space of the data. The author recently wrote an ASP chat room with the following code:
<% dim name, title
name = trim (request.form (name))
password = trim (request.form (password))
if name = or password = then response.redirect error.asp? error = name & name = null
mydsn = dsn = test; uid = test; pwd = test
set cn = server.createObject (Adodb.connection)
cn.open mydsn
SQL = Insert INTO TEST (name, Title) Values ('& Name &', '& Password &')
CN.EXECUTE (SQL)
CN.Close%>
The author uses the TRIM function to remove the space at the beginning and ending. In general, this program is executed normally, but later the author found that someone can use the space. , But the author tries to use the space by himself, but it cannot pass (that is, the program is monitored). The space at the beginning and end of the end is removed by the TRIM function. Even if there is a space in the middle, if the author needs The space is removed. Since the author uses the user information recorded by the SQL database, the author suspects that he uses other things to make the system invisible, so he goes to check the SQL database that records the user data (the author used this method to see it to see It is the user who brought the row), but the author still sees that the information of the user in the database is also a space. Is this the user using a means to bypass my username and password monitoring? Intersection Intersection I really can't find the vulnerability in the program, so I can only ask the user. Fortunately, the user quickly told the author, it turned out to be alt+255, press and hold the alt key, press the small keyboard 2,5 in order 2,5 5 will produce a relatively special thing (this concept, the author is not clearly clear, this is a control character, you can see Word2000 in some editors, there should be other control characters), this space character character, this space character Different from the characters generated by the traditional press key, its ASC code is 255, and the ASC code of the traditional Space typed space is 32. The TRIM function can only know the ASC code with 32 code and remove it, so there is an appearance. The situation of space users! In this case, I designed the two functions below to remove this empty character:
Function xuankong (STR)
dim result
dim j
j = len (str)
result =
dim I
for i = 1 to j
Select Case Mid (Str, i, 1)
Case <
result = result+<
Case>
result = result+>
Case CHR (34)
result = result+
Case &
Result = Result+& & above code to convert some HTML marks
Case CHR (255) 'Prevent special spaces
result = result
Case CHR (13) 'Prevent Enter
result = result+
case chr (10) '
result = result+
Case Else
result = result+mid (str, i, 1)
end select
next
xuankong = result
end function
Then use this function in your ASP program, such as:
name = xuankong (trim (request.form (name)))
Because the value of the character 0-Z ASC code is 48-122, you can use the following method to monitor:
dim j
j = len (Trim (Request.form (name)))
for i = 1 to j
If ASC (MID (name, i, 1))> 122 or ASC (MID (name, i, 1)) <48 THEN Response .RDireCTERR.ASP?
Error = SPECIAL
next
Although this kind of space has not been found that the problem that will destroy the program for the time being, it can make people make trouble or prevent it. However, this kind of space also has a benefit. Several people can see it! I thought it was space, but it was not ... I am not familiar with PHP and JSP, so I do n’t know if there will be such problems in these two things
How to read the space
How to read the space
We often display the content taken from the file in the webpage. If you write a program or forum such as a chat room or forum, the content of each speech person must first exist in the text file, and then display it in the text, and then display it in the text, and then display it in the text, then display it in the text, and then display it in the text, and then display it in the text, and then display it in the text, and then display it in it. On the webpage. But we let the user enter the content of the content on the webpage is the text box. Then the content in the text box cannot be displayed on the webpage, which cannot be displayed, that is, there is no paragraph. If you want to display paragraphs on the webpage, we must insert the HTML logo at the space of the text and the change character to display these characters. Please see the example below.
If there is a chat room picture on the webpage, after entering the content in the text box, click to submit to display our content on the page. The text box is named Text1. Display the function of text change and space.
<%
... ...
... ...
str = request.querystring (text1)
Str = Replace (Str, Chr (32), & Nbsp)
'Replace the space to & nbsp logo
str = Replace (Str, VBCRLF, <br>)
'Replace the car Enter into the <br> logo
Response.write Str
... ...
... ...
%>
After the above code, we transform the ride in the text into the <br> change label that can be recognized by the browser, and replace the space to the & nbsp space logo. Among them, chr (32) represents a space, and VBCRLF indicates that the car is replaced.
CHR (13) is a car Enter
((
Example: Replace all the car runes to <br/>
#Replace (foo, chr (13), <br />, all)#
Cure
CHR (10) is a replacement symbol
All tables about ASCII code: [url] http://www.asciitable.com./ [/url]
<CFScript>
/**
* A enhanced version of the article paragraph format function
* Use) & nbsp; replace TAB, support multi -system
* Rewrite and multios support by nathan dintenfas.
*
* @param String the String to Format. (Required)
* @Return return a string.
* @Author Ben Forta ([email] [email protected] [/email])
* @version 3, june 26, 2002
*/
Function paragrap1hformat2 (STR) {
// First Make Windows STYLE Into Unix Style
str = replace (str, chr (13) & chr (10), chr (10), all);
// Now Make Macintosh style into unix style
str = replace (str, chr (13), chr (10), all);
// now fix tabs
str = replace (str, chr (9), & nbsp; & nbsp; & nbsp;, all);
// Now Return the Text Formatted in HTML
Return Replace (str, chr (10), <br />, all);
}
</CFScript>