Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best practices in using querystring in ASP.NET? [closed]

I have been searching for some best practice guidance when using the QueryString in ASP.NET and haven't really found any.

I have found a helpful optimization article: http://dotnetperls.com/querystring

But I am more interested in answering the following questions:

  • Case rules? All lowercase? Pascal Case? Camel Case?
    • My personal preference is all lowercase, but consistency is most important.
  • Avoiding special characters in parameter names?
  • Should parameters and values be obfuscated for security purposes?

etc...

Any more guidelines would be appreciated!

like image 358
Khan Avatar asked Feb 01 '11 21:02

Khan


People also ask

What shows the correct use of a query string in asp net?

The QueryString collection is used to retrieve the variable values in the HTTP query string. The line above generates a variable named txt with the value "this is a query string test". Query strings are also generated by form submission, or by a user typing a query into the address bar of the browser.

How can remove query string value in asp net?

The only way to 'clear' the query string is to do a redirect to the same URL but without the query string part.


1 Answers

Whatever is in your query string is viewable and changeable by the end user. This means they have the potential to change it to view or access data they shouldn't, or to influence the behavior of your site/app. So it goes without saying that you trust nothing on the query string, and check everything before you use it. When you check it, don't check for things that are wrong with it (that could be an infinite list), instead check for things that are correct. If even one of your checks fails then you should discard the query string data, or treat it as suspect. If you have encrypted or encoded the data on the query string it can still have unintended side effects if the user messes with it and you blindly trust it, even if the user's changes were nonsensical due to the encoding.

The one approach I take with storing sensitive data in the query string is to not do it; instead I will store the sensitive data server side (in the Session, Cache or a table in the database), and then I will have a randomly generated key (usually a GUID) in the query string to identify it, so the URL would look like this:

http://myurl.com/myPage.aspx?secretKey=73FA4A5A85A44C75ABB5E323569628D3

It is rather difficult to brute force a GUID and the chances of a GUID collision are infinitesimally small, so if the end user messes with the query string then they end up getting nothing.

This approach also works well when I need to store many things and the querystring starts to become too long - the data needing to be tracked can be kept in an object which is then stored in Session or Cache, and once again a GUID is used as its key.

like image 133
slugster Avatar answered Sep 21 '22 08:09

slugster