当前位置: 文江博客话题详情

Request.QueryString[] 与 Request.Query.Get() 与 HttpUtility.ParseQueryString()

发布于 2024-12-28 05:19:17 字数 1606 浏览 0 评论 0原文

我搜索了SO并发现了类似的问题,但没有一个比较这三个问题。这让我很惊讶,所以如果有人知道,请指出我。

有多种不同的方法来解析请求的查询字符串......“正确”的方法(IMO)应该处理空值/缺失值,但也可以适当地解码参数值。以下哪一项是同时实现这两点的最佳方法?


方法1

string suffix = Request.QueryString.Get("suffix") ?? "DefaultSuffix";


方法2

string suffix = Request.QueryString["suffix"] ?? "DefaultSuffix";


方法3

NameValueCollection params = HttpUtility.ParseQueryString(Request.RawUrl);    
string suffix = params.Get("suffix") ?? "DefaultSuffix";


方法4

NameValueCollection params = HttpUtility.ParseQueryString(Request.RawUrl);    
string suffix = params["suffix"] ?? "DefaultSuffix";


问题:

  1. 如果未指定后缀,Request.QueryString["suffix"] 是否会返回 null? (我知道这是一个令人尴尬的基本问题)

  2. HttpUtility.ParseQueryString() 是否比直接访问 Request.QueryString 提供任何额外的功能?

  3. MSDN 文档列出了此警告:

    ParseQueryString 方法使用可能包含用户输入的查询字符串,这是潜在的安全威胁。默认情况下,ASP.NET 网页验证用户输入不包含脚本或 HTML 元素。有关详细信息,请参阅脚本漏洞利用概述。

    但我不清楚这是否意味着应该使用 ParseQueryString() 来处理该问题,或者因此而面临安全缺陷......它是哪一个?

  4. ParseQueryString() 默认使用 UTF8 编码...所有浏览器默认都以 UTF8 编码查询字符串吗?

  5. 如果指定了多个值,

    ParseQueryString() 将以逗号分隔值... Request.QueryString() 是否也这样做,或者如果它会发生什么不是吗?

  6. 哪些方法可以正确地将“%2b”解码为“+”?


再次展示我的 Windows 开发根源...如果我不那么想知道这些事情的话,我会成为一个更快的开发人员...:P

原文

I searched SO and found similar questions, but none compared all three. That surprised me, so if someone knows of one, please point me to it.

There are a number of different ways to parse the query string of a request... the "correct" way (IMO) should handle null/missing values, but also decode parameter values as appropriate. Which of the following would be the best way to do both?

Method 1

string suffix = Request.QueryString.Get("suffix") ?? "DefaultSuffix";

Method2

string suffix = Request.QueryString["suffix"] ?? "DefaultSuffix";

Method 3

NameValueCollection params = HttpUtility.ParseQueryString(Request.RawUrl);    
string suffix = params.Get("suffix") ?? "DefaultSuffix";

Method 4

NameValueCollection params = HttpUtility.ParseQueryString(Request.RawUrl);    
string suffix = params["suffix"] ?? "DefaultSuffix";

Questions:

  1. Would Request.QueryString["suffix"] return a null if no suffix was specified?
    (Embarrassingly basic question, I know)

  2. Does HttpUtility.ParseQueryString() provide any extra functionality over accessing Request.QueryString directly?

  3. The MSDN documentation lists this warning:

    The ParseQueryString method uses query strings that might contain user input, which is a potential security threat. By default, ASP.NET Web pages validate that user input does not include script or HTML elements. For more information, see Script Exploits Overview.

    But it's not clear to me if that means ParseQueryString() should be used to handle that, or is exposed to security flaws because of it... Which is it?

  4. ParseQueryString() uses UTF8 encoding by default... do all browsers encode the query string in UTF8 by default?

  5. ParseQueryString() will comma-separate values if more than one is specified... does Request.QueryString() do that as well, or what happens if it doesn't?

  6. Which of those methods would correctly decode "%2b" to be a "+"?

Showing my Windows development roots again... and I would be a much faster developer if I didn't wonder about these things so much... : P

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

枯寂 2025-01-04 05:19:17

方法#1 和方法#2 确实是一样的。 (我认为 .Get() 方法是为了语言兼容性而提供的。)

ParseQueryString 返回的内容与 Request.Querystring 功能等效。 。当您有原始 URL 并且没有其他方法可以从中解析查询字符串参数时,通常会使用它。 Request.Querystring 会为您完成此操作,因此在本例中不需要它。

  1. 你不能省略“后缀”。您必须传递一个字符串或一个索引号。如果完全省略 [],您将获得整个 NameValueCollection。如果您的意思是如果 "suffix" 不是 QueryString 值之一,那么是的;如果您调用 Request.QueryString["suffix"],您将得到 null

  2. 没有。 从中解析查询字符串参数。

  3. ParseQueryString 确实处理它...也不能直接从 Request.QueryString 中提取值。对于 ASP.NET,您通常将表单值作为控件的值来处理,而就是 ASP.NET 通常为您“处理”这些事情的地方。 换句话说:永远不要相信用户输入。无论哪个框架为您做任何事情。

  4. 我不知道(我想没有)。但是,我认为您正在阅读的内容告诉您 ParseQueryString 返回 UTF-8 编码文本 - 无论它传入时是否如此编码。

  5. 再次:ParseQueryString 返回的内容与从 Request.QueryString 获得的内容基本相同。事实上,我认为 ParseQueryString 在内部使用来提供 Request.QueryString

  6. 他们会产生等价物;他们都会正确解码提交的值。如果您有 URL:http://site.com/page.aspx?id=%20Hello 然后调用 Request.QueryString["id"] 返回值将为“Hello”,因为它会自动解码。

Methods #1 and #2 are the same thing, really. (I think the .Get() method is provided for language compatibility.)

ParseQueryString returns you something that is the functional equivalent of Request.Querystring. You would usually use it when you have a raw URL and no other way to parse the query string parameters from it. Request.Querystring does that for you, so in this case, it's not needed.

  1. You can't leave off "suffix". You either have to pass a string or an index number. If you leave off the [] entirely, you get the whole NameValueCollection. If you mean what if "suffix" was not one of the QueryString values then yes; you would get null if you called Request.QueryString["suffix"].

  2. No. The most likely time you would use it is if you had an external URL and wanted to parse the query string parameters from it.

  3. ParseQueryString does not handle it... neither does pulling the values straight from Request.QueryString. For ASP.NET, you usually handle form values as the values of controls, and that is where ASP.NET usually 'handles' these things for you. In other words: DON'T TRUST USER INPUT Ever. No matter what framework is doing what ever for you.

  4. I have no clue (I think no). However, I think what you are reading is telling you that ParseQueryString is returning UTF-8 encoded text - regardless if it was so encoded when it came in.

  5. Again: ParseQueryString returns basically the same thing you get from Request.QueryString. In fact, I think ParseQueryString is used internally to provide Request.QueryString.

  6. They would produce the equivalent; they will all properly decode the values submitted. If you have URL: http://site.com/page.aspx?id=%20Hello then call Request.QueryString["id"] the return value will be " Hello", because it automatically decodes.

回复 原文
非要怀念 2025-01-04 05:19:17

示例 1:

string itsMeString = string.IsNullOrEmpty(Request.QueryString["itsMe"]) ? string.Empty :  HttpUtillity.UrlDecode(Request.QueryString["itsMe"]);

直接回答您的问题:

  1. 不太确定后缀是什么意思,如果您询问如果键不存在(查询字符串中没有它)会发生什么 - 是的,它将返回 null。
  2. 我的猜测是,在构造时,Request.QueryString 在内部调用 HttpUtillity.ParseQueryString() 方法并缓存 NameValueCollection 以供后续访问。我认为只留下第一个,这样您就可以在请求中不存在的字符串上使用它,例如,如果您正在废弃一个网页并且需要从您在该代码中找到的字符串中获取一些参数页。这样,您不需要构造 Uri 对象,但如果您确定只需要它,则可以仅获取查询字符串作为 NameValueCollection。这是一个疯狂的猜测;)。)
  3. 这是在页面级别实现的,因此如果您正在访问 QueryString(假设在 Page_Load 事件处理程序中),您将拥有一个有效且安全的字符串(否则 ASP.NET 将抛出异常,并且不会让代码流进入Page_Load,这样您就可以避免在数据库中存储XSS,例外情况是:“从客户端检测到潜在危险的Request.QueryString值,就像post变量一样包含任何痕迹XSS 而是 Request.Form,异常显示为 Request.QueryString。”)。如果您打开“validateRequest”(默认情况下是这样),就会出现这种情况。 ASP.NET 管道会提前抛出异常,因此您没有机会将任何 XSS 内容保存到您的存储(数据库)中。关闭它意味着您知道自己在做什么,因此您需要自己实施安全性(通过检查传入的内容)。
  4. 也许可以肯定地说“是”。无论如何,因为在大多数情况下您将自己生成 QueryString(通过 JavaScript 或服务器端代码 - 请务必使用 HttpUtillity.UrlEncode 作为后端代码并为 JavaScript 使用转义)。这样浏览器就会被迫转向“是我!”到“It%27s%20me%21”。有关 JavaScript 中的 URL 编码的更多信息,您可以参考这篇文章: http://www.javascripter.net /faq/escape.htm
  5. 请详细说明这一点,无法完全理解“如果指定了多个值,则将以逗号分隔值”的意思。
  6. 据我所知,他们都不会。您可能需要调用 HttpUtillity.UrlDecode / HttpUtillity.HtmlDecode (基于您拥有的输入)才能正确获取字符串,在上面的示例中为“It's me!”您将执行类似的操作(请参阅示例 1,因为如果我将其放在编号列表后面,则代码格式会出现问题)。

Example 1:

string itsMeString = string.IsNullOrEmpty(Request.QueryString["itsMe"]) ? string.Empty :  HttpUtillity.UrlDecode(Request.QueryString["itsMe"]);

Stright to your questions:

  1. Not quite sure what do you mean by suffix, if you are asking what happens if the key is not present(you don't have it in the QueryString) - yes it will return null.
  2. My GUESS here is that when constructed, Request.QueryString internally calls HttpUtillity.ParseQueryString() method and caches the NameValueCollection for subsequential access. I think the first is only left so you can use it over a string that is not present in the Request, for example if you are scrapping a web page and need to get some arguments from a string you've found in the code of that page. This way you won't need to construct an Uri object but will be able to get just the query string as a NameValueCollection if you are sure you only need this. This is a wild guess ;).)
  3. This is implemented on a page level so if you are accessing the QueryString let's say in Page_Load event handler, you are having a valid and safe string (ASP.NET will throw an exception otherwise and will not let the code flow enter the Page_Load so you are protected from storing XSS in your database, the exception will be: "A potentially dangerous Request.QueryString value was detected from the client, same as if a post variable contains any traces of XSS but instead Request.Form the exception says Request.QueryString."). This is so if you let the "validateRequest" switched on (by default it is). The ASP.NET pipeline will throw an exception earlier, so you don't have the chance to save any XSS things to your store (Database). Switching it off implies you know what you're doing so you will then need to implement the security yourself (by checking what's comming in).
  4. Probably it will be safe to say yes. Anyway, since you will in most cases generating the QueryString on your own (via JavaScript or server side code - be sure to use HttpUtillity.UrlEncode for backend code and escape for JavaScript). This way the browser will be forced to turn "It's me!" to "It%27s%20me%21". You can refer to this article for more on Url Encoding in JavaScript: http://www.javascripter.net/faq/escape.htm.
  5. Please elaborate on that, couldn't quite get what do you mean by "will comma-separate values if more than one is specified.".
  6. As far as I remember, none of them will. You will probably need to call HttpUtillity.UrlDecode / HttpUtillity.HtmlDecode (based on what input do you have) to get the string correctly, in the above example with "It's me!" you will do something like (see Example 1 as something's wrong with the code formatting if I put it after the numbered list).
回复 原文
~没有更多了~

关于作者

不甘平庸

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

微信用户

文章 0 评论 0

小情绪

文章 0 评论 0

追我者格杀勿论

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

笨死的猪

文章 0 评论 0

彭明超

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文