Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best practices in using querystring in ASP.NET? [closed]

Tags:

query-string

asp.net

I have been searching for some best practice guidance when using the QueryString in ASP.NET and haven't really found any.

I have found a helpful optimization article: http://dotnetperls.com/querystring

But I am more interested in answering the following questions:

  • Case rules? All lowercase? Pascal Case? Camel Case?
    • My personal preference is all lowercase, but consistency is most important.
  • Avoiding special characters in parameter names?
  • Should parameters and values be obfuscated for security purposes?

etc...

Any more guidelines would be appreciated!

like image 358
Khan Avatar asked Feb 01 '11 21:02

Khan

People also ask

What shows the correct use of a query string in asp net?

The QueryString collection is used to retrieve the variable values in the HTTP query string. The line above generates a variable named txt with the value "this is a query string test". Query strings are also generated by form submission, or by a user typing a query into the address bar of the browser.

How can remove query string value in asp net?

The only way to 'clear' the query string is to do a redirect to the same URL but without the query string part.

1 Answers

Whatever is in your query string is viewable and changeable by the end user. This means they have the potential to change it to view or access data they shouldn't, or to influence the behavior of your site/app. So it goes without saying that you trust nothing on the query string, and check everything before you use it. When you check it, don't check for things that are wrong with it (that could be an infinite list), instead check for things that are correct. If even one of your checks fails then you should discard the query string data, or treat it as suspect. If you have encrypted or encoded the data on the query string it can still have unintended side effects if the user messes with it and you blindly trust it, even if the user's changes were nonsensical due to the encoding.

The one approach I take with storing sensitive data in the query string is to not do it; instead I will store the sensitive data server side (in the Session, Cache or a table in the database), and then I will have a randomly generated key (usually a GUID) in the query string to identify it, so the URL would look like this:

http://myurl.com/myPage.aspx?secretKey=73FA4A5A85A44C75ABB5E323569628D3

It is rather difficult to brute force a GUID and the chances of a GUID collision are infinitesimally small, so if the end user messes with the query string then they end up getting nothing.

This approach also works well when I need to store many things and the querystring starts to become too long - the data needing to be tracked can be kept in an object which is then stored in Session or Cache, and once again a GUID is used as its key.

like image 133
slugster Avatar answered Sep 21 '22 08:09

slugster
Sign in to Comment

Related questions

tracking pixel or javascript include?
Using Ajax, is it better to generate additional markup in the server or the client side?
ASP .NET Check for Session
What risk does Reflection pose? (Medium Trust)
Programmatically change resource file language (resx) in Code Behind
Regex to limit string length for strings with new line characters
How to handle input and parameter validation between layers?
How do I include a newline in a text message sent as email from an ASP.Net application?
ValidateRequest = False but in action it's still True and ignored that?
GridView doesn't remember state between postbacks
Accessing Form Authentication Ticket
Detect ajax call, ASP.net
ASP.NET Session in Global.asax
Custom Validation Attribute MVC2
ASP.NET WebMethod with jQuery json, is there a size limit?
session variables timeout in asp.net app
C# code runs quick on IIS, but slow on Mono - how to improve it?
How to automatically authenticate windows integrate without login popup?
IIS express requests take 4 times longer to execute
where is session state, application state in page life cycle?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!