如果url为： http://www.mysite.com/content/default.aspx?tabid=2&subtabid=3

以下下是条件，iis内置的变量

{URL} 匹配  content/default.aspx

{QUERY_STRING} 匹配 tabid=2&subtabid=3

{HTTP_HOST}     匹配 www.mysite.com

{SERVER_PORT} 匹配 80

{SERVER_PORT_SECUR}  The SERVER_PORT_SECURE server variable contains 0 and HTTPS contains OFF.

{REQUEST_URI} 匹配 content/default.aspx?tabid=2&subtabid=3

实例：
1，http://localhost/aaa/ (打开aaa中的index.php)
结果：

$_SERVER['QUERY_STRING'] = "";
$_SERVER['REQUEST_URI']  = "/aaa/";
$_SERVER['SCRIPT_NAME']  = "/aaa/index.php";
$_SERVER['PHP_SELF']     = "/aaa/index.php";

2，http://localhost/aaa/?p=222 (附带查询)
结果：

$_SERVER['QUERY_STRING'] = "p=222";
$_SERVER['REQUEST_URI']  = "/aaa/?p=222";
$_SERVER['SCRIPT_NAME']  = "/aaa/index.php";
$_SERVER['PHP_SELF']     = "/aaa/index.php";

3，http://localhost/aaa/index.php?p=222&q=333
结果：

$_SERVER['QUERY_STRING'] = "p=222&q=333";
$_SERVER['REQUEST_URI']  = "/aaa/index.php?p=222&q=333";
$_SERVER['SCRIPT_NAME']  = "/aaa/index.php";
$_SERVER['PHP_SELF']     = "/aaa/index.php";

由实例可知：

$_SERVER["QUERY_STRING"]  获取查询 语句，实例中可知，获取的是?后面的值
$_SERVER["REQUEST_URI"]   获取 http://localhost 后面的值，包括/
$_SERVER["SCRIPT_NAME"]   获取当前脚本的路径，如：index.php
$_SERVER["PHP_SELF"]      当前正在执行脚本的文件名

实例： 如www.zfcdn.xyz/?1.html  301到www.zfcdn.xyz/11.html

<rule name="Bloc">
      <match url="^(.*)" ignoreCase="false" />
      <conditions>
        <add input="{QUERY_STRING}" pattern="1.html" ignoreCase="false" />
      </conditions>
      <action type="Redirect" url="http://www.zfcdn.xyz/11.html" appendQueryString="false" />
</rule>