问题
I am testing an ASP.NET web form which needs to filter out null characters from input.
To test this functionality, how can I actually type a null character in the html form? I've tried Alt+0 but it does not work.
I know I can do it in a GET request by using "%00" in the URL. However, I want to do it in a form POST.
回答1:
I was able to do this using TamperData Firefox plugin.
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
When given the Tamper Popup I typed "%00" in the Post Parameter Value field.
Still, I cannot find a way to type a null character just using the keyboard.
回答2:
my suggestion would be to write the null character to an html element you would like it in ex:
document.getElementByID("my_null_tag").innerHTML += "\0"
回答3:
<html>
<body onload='document.forms[0].submit();'>
<form method="post" action="http://localhost/test.asp" >
<input type="hidden" name="param" value="%00">
</form>
</body>
</html>
回答4:
You can use an HTML entity. Not fully sure of how many zeroes are required but:
�
For an arbitrary Unicode character it's easier to use the hexadecimal notation. E.g., ㍝ prints ㍝ wich is U+335D.
Update: This question is pretty tricky indeed. I've managed to insert a null character inside an HTML document (using a server-side script and verified with an hexadecimal editor). As expected, there is no difference with the HTML entity, which can be either � or �. But the browser does not send the character in the post request (tested with Firefox and Firebug): it sends %EF%BF%BD, which is REPLACEMENT CHARACTER' (U+FFFD). Exactly, it sends the interrogation mark in a box that's used to print the null in the document (given that null is not printable).
My guess is that your testers need to script the task.
回答5:
Use AJAX to submit the form. I.e. paste something like this in the address bar instead:
javascript:(function(){var xhr=new XMLHttpRequest();xhr.onreadystatechange=function(){if(this.readyState==4){document.write(this.responseText)}};xhr.open("POST",'/form',true);xhr.send("\0");})()
Here it is unwrapped, so you can actually see it:
(function() {
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (this.readyState == 4) {
document.write(this.responseText);
}
};
xhr.open("POST", '/form', true);
xhr.send("\0");
})()
There are some limitations to this, of course, since it just blindly replaces the content of the current page with whatever it got back. But this might be enough to tell if something went wrong or not.
回答6:
A Latin character O with a slash through it is often acceptable as a symbol for Null/Nul (or blank if you prefer). If you are using database-driven applications you'll want to sanitize this symbol to replace with null or blank, depending on your needs.
How to do it: ALT + 0216 in your favorite editor should give you Ø - which is, for this display purpose, Null.
Then, as an example and a best practice, you'll sanitize the form submission before it gets passed to the database.
Example Case: If feeding a database-driven PHP site, your sanitation of this specific character this might look something like...
$dbstring = str_replace(Ø,NULL); and the value will be NULL
Or try...
$dbstring = str_replace(Ø,""); and the value will be BLANK
! alternatively, you may want to do this display with the HTML entity codes, which I mention below.
Alt + 0216 explained If using a normal 104-key keyboard with English (American) set as your primary language, hold down the ALT key, and while holding, use the NUMBER PAD keys to enter 0216. Then release the ALT key, and your character should appear. *This is primarily a Windows method. Macintosh, (X)nix and bsd users, you will probably be stuck using the HTML entity codes.
Special note: use of the top-of-keyboard numbers doesn't work. If you are on a laptop or other device that makes this difficult or impossible. try an alternative: Use the HTML entity codes:
Ø = Ø (usually for null)
ø = ø (could be used, but the upper-case version seems more appropriate.)
Other thoughts that might be helpful: Nul vs Null vs Blank - They fundamentally mean the same thing, but different programming languages use or require these differently. (There's others too, like NULPTR for Null Pointer.)
The point I'm trying to make with NUL/NULL, is that the submitted variable 'doesn't exist' or simply 'wasn't there at all'. In most contexts, you can simply call this "Null" and be understood.
Some database systems treat Blank and NULL as the same thing. Others, Blank is actually an empty value, whereas NULL is no value at all (like mentioned above.)
Hopefully this helps in building the view you're looking for.
来源:https://stackoverflow.com/questions/6961208/how-to-input-a-null-character-into-a-web-form