Receiving a 500 internal server error when I have a '%' symbol in the query string

Question

I am trying to diagnose a problem that a client site has come across. Basically when you do an address search on their website you can specify a '%' symbol for wildcard searches. For example you can search for Be% to return Belfast etc.

This queries the database and then redirects you to the results page, passing the search criteria in the querystring for example results.aspx?criteria=Search%20criteria%20is%20Be%

This caused problems if you searched for something like %Belf as %Be is a reserved character in URL encoding. I therefore coded it to replace % with %25 (URL encoding representation of '%' symbol). This works fine on my test machine, where the URL is now results.aspx?criteria=Search%20Criteria%20is%20%25Be .

This however doesn't work on our clients website for some reason and I can't work out why. The page keeps erroring with:

Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator. (12217)

any time you search for something like %Be %Fa %Fe etc etc

Does anyone know if there is an IIS setting for this or something similar

Answer 1

You might have URLScan installed on your server. URLScan intercepts requests and reject them if it detects invalid characters. It is meant to protect your website from malicious attacks and SQL injection. If you don't configure it correctly then it will reject perfectly reasonable requests. Take a look at the ISAPI filters on your website and see if URLScan is there.