Pound sign and everthing following are get lost when using QueryString for value transfering in ASP

  • Thread starter Thread starter Yong Chen via .NET 247
  • Start date Start date
Y

Yong Chen via .NET 247

(Type your message here)


I have two asp script files A.asp and B.asp.
In A.asp, I am doing database query. The query string looks like
"SELECT * From Where PublishDate Between #02-02-04# And #03-03-04"
I tried to using QueryString to transfer the query string to B.asp.
The statement looks like

Sql = "SELECT * From Where PublishDate Between #02-02-04# And #03-03-04"
<a Href="B.asp?QueryString=Sql">XXXX</A>

However, it turned out that the first # and everything following got lost


Anybody could help!

Thanks in advance!

Yong Chen
HKU, CSIS
 
Hello Yong Chen via .NET 247,

Try Server.UrlEncode(Sql).

For some reason, the # character is a terminator on the query string. However, when doing a UrlEncode, it preps it for the querystring.

Mind if I ask why you're sending a sql statement on the querystring? This seems like it could open a *HUGE* hole.

In your model, it would be completly valid for the user to type in b.asp?querystring=xp_cmdshell%20%27format c:%27%2cNO_OUTPUT

which would execute the following command:

xp_cmdshell 'format c:', NO_OUTPUT

Granted the xp_cmdshell command is fairly protected by default and this may be an extreme case, I'm sure you are starting to see other things that could be passed along (like: DROP DATABASE, DELETE TABLE, etc).

Please rethink this design...
 
The reason # terminates a query string is that # in a URL marks a fragment
in the document the URL points to. Same way ? separates the path and the
query string.

Jerry

Matt Berther said:
Hello Yong Chen via .NET 247,

Try Server.UrlEncode(Sql).

For some reason, the # character is a terminator on the query string.
Click to expand...
However, when doing a UrlEncode, it preps it for the querystring.
Mind if I ask why you're sending a sql statement on the querystring? This
Click to expand...
seems like it could open a *HUGE* hole.
In your model, it would be completly valid for the user to type in
Click to expand...
b.asp?querystring=xp_cmdshell%20%27format c:%27%2cNO_OUTPUT
which would execute the following command:

xp_cmdshell 'format c:', NO_OUTPUT

Granted the xp_cmdshell command is fairly protected by default and this
Click to expand...
may be an extreme case, I'm sure you are starting to see other things that
could be passed along (like: DROP DATABASE, DELETE TABLE, etc).
 
Back
Top