skip to content »

Asp net validating querystring

The user will still see the querystring parameters as plain-text in their Address bar.

With a Web application, each Web page serves as a public interface to the Web applications, and for Web pages whose functionality is based on user-supplied parameters (i.e., querystring or form-posted values) each potential input represents a unique interface.

Having a potentially unlimited number of public interfaces greatly increases the complexity and forethought required in building secure and consistent Web applications.

This approach is less than ideal if you're wanting to create an entire site where all links are tamper-proof.

For example, the code in this article is sensitive to the ordering and the set of tamper-proof querystring parameters; ergo, both the sending and receiving page must agree upon these tamper-proof parameters and their ordering, which can be prohibitive.

An upcoming article will discuss are more generalized approach for creating truly tamper-proof URLs, ones that do not require the receiving and sending page to agree upon the set of tamper-proof querystring parameters.

asp net validating querystring-4

For example, imagine that you have a website that you charge customers a monthly fee to use.In order to woo a potential customer, you might want to give them a chance to visit and check out the site.

asp net validating querystring-79asp net validating querystring-1

If you have any you'd like to share to be included in this article, please let me know.(We'll discuss some of these cases in more detail further on in this article.) Such tamper-proof URLs can be created quite easily by using a one-way hash to sign the querystring parameters that you do not want edited and appending that signature to the querystring.The web page being visited, then, can apply the same hash to the plain-text querystring parameters and ensure that it matches up to the signature included in the querystring.Since URLs can easily be changed by even the most novice user, it is paramount that you do not place any state information in the querystring that you do not mind the user change, or, if you do, you need to validate in the web page's code to ensure that the user has not modified the querystring to an unacceptable state.For example, imagine that you had a website with a page where a user could modify their account.What's important to understand is that creating a tamper-proof URL does not hide the querystring parameters from the end user.