What is the best alternative for QueryString

Question

We heard a lot about the vulnerabilities of using QueryStrings and the possible attacks. Aside from that, yesterday, an error irritated me so much that i just decide to stop using QueryStrings, i was passing something like:

Dim url As String = "pageName.aspx?type=3&st=34&am=87&m=9"

I tried to

Response.Write(url)

in the redirecting page, it printed the "type" as 3, then i tried it in the target page, it printed 3,0....i know this can be easily dealt with, but why? i mean why should i pass 3 and have to check for 3.0 in the next page's load to take my action accordingly???

So what should we use? what is the safest way to pass variables, parameters...etc to the next page?

Answer 1

You could use Cross-Page Postbacks.

Check also this article:

• How to: Pass Values Between ASP.NET Web Pages

Answer 2

There are many options you can use, most of them requires you to build a strategy to pass variables between pages.

In most projects I use this strategy, I create a formVariables class to hold currently active items. it has properties which you will need to pass by querystring. and I store this class at session. and in my base page I read it from session. so in every page I get values over this object. the only negative thing about this method is to clean up items when you finished your work on it..

hope this helps.

Answer 3

First, in asp .net you can use several strategys to pass values between pages. You have viewstate too, however the viewstate store the value and the use is in different scenarios , you can use it too. Sessions instead, and of course by post in a form.

If your problem is the security, I recommended you to create 2 users for accesing the data. One user with read only access, this for accessing the pages ( Sql Inyection prevent ) and validate the data throw the querystring. And One with write access for your private zone.

Sorry, for my unreadeable English.

Answer 4

If you do proper security checks on each page load then the querystring is fine and most flexible IMHO.

They provide the most flexibility as the entry poitn to a page is not dependant on the sender as in some other options. You can call a page from any point within your own app or externally if needed via querystrings. They can also be bookmarked and manually modified for testing or direct manipulation.

Again the key is adding proper security and validation to the querystring, and not processing it blindly. Keep in mind that the seucirty goes beyond having edit or read access, depending on the data and user, they may not have access to the data with thos paranters at all, in cases where data is owned and private to specific users.

We have tried various methods, in an attempt to hide the querystring but in the end have gone back to it, as it is easier to do, debug, and manage.

Answer 5

I like to use query string as I like users to be able to bookmark things like common searches and the like. E.g. if a page can work stand-alone then I like to it to be able to work stand-alone.

Using session/cross-page postbacks is cool if you needed to come from another page for the page you're on to make sense, but otherwise I generally find querystrings to be the better solution.

Just remember that query strings are unvalidated input and treat them with the caution you would treat any unvalidated input.

Answer 6

You said:

it printed 3,0....i know this can be easily dealt with, but why? i mean why should i pass 3 and have to check for 3.0

There's a difference between "3,0" (three comma oh) and "3.0" (three point oh). You also said that you were "passing something like".

In a query string, if you pass multiple values in the same key, they will be seperated with commas.

As all values are passed as strings there's no way that an int "3" is going to magically become decimal "3.0" unless you parse it as such when you request it.

I'd go back and double check what you are passing into your URL, if it ends up as something like:

pageName.aspx?type=3&st=34&am=87&m=9&type=0

Then when you read back

Request.QueryString["type"]

You'll get "3,0" back as the comma seperated list of values in that key.

Answer 7

The best / most secure way to pass info between pages is to use the session.

// On page 1:
this.Session["type"] = 3;

// On Page 2:
int type = (int)this.Session["type"];

You can store any kind of object in the session and it is stored on the server side, so the user can't manipulate it like a query string, viewstate, or hidden field

Answer 8

I would sugest you avoid using Session to pass variables between pages as this breaks the stateless model of the web. if you have just stored some values in session that relate to a certain page then the user uses their browsers back button to go back to the same page whcih should have a different state then you are not going to know about it.

It leads to the possibility of reading session values that are not relevant to the page the user is currently viewing - Which is potentially very confusing for the end user. You will also run into issues with session expiration if you rely on it too much.

I personally try to avoid using session where possible in preference of hidden form values + query strings that can be read on postback + navigation.