ValidateRequest 错误或 SQL Server 错误?

2021-10-04 00:00:00 validation sql-server xss

我正在阅读这篇文章.它说:

I was reading this article. It says :

该字符以值 %uff1c 表示.如果将此值传递给 SQL 数据库中的 varchar 字段,它将被转换为真正的 <特点.我还没有在 nvarchar 字段上看到过这项工作

That character is represented at the value %uff1c. If this value is passed to a varchar field in a SQL database, it will get converted to the real < character. I have not seen this work on a nvarchar field

好吧,我认为这是一个 SQL Server 错误,而不是 ValidateRequest hack!如果我写%uff1c,SQL Server 必须将它保存为%uff1c.或者,至少,它应该通过管理员选择的字符集再次"编码 %uff1c.

Well, I think this is a SQL Server bug, not a ValidateRequest hack! If I write %uff1c, SQL Server must save it as %uff1c. Or, at least, it should encode "again" %uff1c by the charset choosed by admin.

我错了吗?

推荐答案

这不是一个错误,而是一个功能(但你不能使用它).

It's not a bug, but a feature (but you cannot use it).

文章的重点是:如果你想发布一个包含'<'的字符串,将每个<到 <(Unicode 代码点 FF1C)以避免验证错误.

The point of the article is: if you want to post a string containing a '<', convert each < to a < (Unicode codepoint FF1C) to avoid a validation error.

SQL Server 收到一个包含 < 的 Unicode 字符串并尝试对其进行处理.如果表列或过程参数的数据类型支持 Unicode(NCHAR、NVARCHAR、每个字符 2 个字节),则不会发生转换,SQL Server 存储原始值.

SQL Server receives a Unicode character string containing < and tries to process it. If the data type of a table column or procedure parameter was Unicode-enabled (NCHAR, NVARCHAR, 2 bytes per character), no conversion would take place, and SQL Server stores the original value.

如果将值传递给 VARCHAR(每个字符 1 个字节)列或变量,则字符 <(2 字节代码点)将转换为 <.扩展 AakashM 的代码来说明:

If the value is passed to a VARCHAR (1 byte per character) column or variable, however, the character < (2-byte codepoint) is transformed to a <. Extending AakashM's code to illustrate:

DECLARE @nv nvarchar, @v varchar
SET @nv = N'<'
SET @v = '<'
SELECT @nv, @v, CONVERT(varchar, @nv)

<   <   <

但是,由于现在是 21 世纪,数据库应该能够支持每一种标准化的语言、符号和字符,因此可以证明使用 VARCHAR 数据的情况很少.

But, since this is the 21st century, and databases should be able to support every standardized language and symbol and character, there are very few scenarios left that justify using VARCHAR data.

相关文章