Click here to Skip to main content
Click here to Skip to main content

WebRequest Parameter Utility

, 6 Sep 2007 CPOL
Rate this:
Please Sign up or sign in to vote.
A library used to encapsulate web request parameters to keep them from prying eyes and to prevent injection of unwanted data.

Introduction

The WebParam class is used to encapsulate one or more web request parameters into a single request parameter. This class also provides security using message authentication to ensure that the transported data has not been tampered with during transport.

Normally, a web request with parameters looks like this:

www.mydomain.com/myweb/page.aspx?ID=1234&name=jasmine

In this example, use can change the value (since this is visible in the address bar of the web browser) of ID or name before actually performing the request. An additional precautionary measure will then be needed just to address this kind of situation.

Using the the ParamUtils.WebParam class, a web address will be displayed like this:

www.mydomain.com/myweb/page.aspx?data=JmlkPTEyMzQmbmFtZT1yYW5keg%3d%3d-t0j9KL4WQHs%3d

Any changes on the value of the parameter "data" will raise an exception, signifying that the data has been tampered. This eliminates the chance of tampering the data from the referring page before it is passed to the consumer page.

Using the Code

To use the code, add a reference to ParamUtils.dll on your web application project. This library contains the ParamUtils.WebParam class.

These are the two public methods that can be used in this class:

  • Encode(System.Web.UI.Pair[])
  • GetQuery(string, string)

The example below shows how to use the Encode method:

public partial class _Default : System.Web.UI.Page 
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (!IsPostBack)
            hl.NavigateUrl = "Default2.aspx?data=" + 
            ParamUtils.WebParam.Encode(new Pair("id", "1234"), 
            new Pair("name", "jasmine"));
    }
}

As you can see, the ParamUtils.WebParam.Encode method can accept zero or more Pair parameters. Please take note that the ParamUtils.WebParam.Encode class uses Pair.First to store the name of the request parameter and Pair.Second to store the value of the request parameter.

To retrieve the value of the request parameters passed through the ParamUtils.WebParam.Encode method, the method ParamUtils.WebParam.GetQuery will be used. See the example below:

public partial class Default2 : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {
            try
            {                
                Response.Write("ID: " + 
                ParamUtils.WebParam.GetQuery(
                  Request.Params["data"].ToString(), "id") + "<br>");
                Response.Write("Name: " +
                ParamUtils.WebParam.GetQuery(
                  Request.Params["data"].ToString(), "name") + "<br>");
            }
            catch (ArgumentException ex)
            {
                Response.Write("Argument Exception caught: " + ex.Message);
            }
            catch (Exception ex)
            {
                Response.Write("General Exception caught: " + ex.Message);
            }
        }
    }
}

ParamUtils.WebParam.GetQuery throws an ArgumentException when the query name is not found in the request parameter. It also throws a general Exception with the message "Invalid query string" when the data has been changed and/or corrupted during transport. This ensures that the data from the referring page is not modified before being passed to the consumer page.

Points of Interest

The WebParam class uses System.Security.Cryptography.MACTripleDES and System.Security.Cryptography.MD5CryptoServiceProvider to encode the request parameter values. The value of the Key property of MACTripleDES comes from the MD5 hash of a public property HashKey. You can specify the value of this key anywhere, as long as the assignment is done before the actual use of Encode and GetQuery. I suggest that you put it inside the global.asax inside Application_Start. See the sample below:

void Application_Start(object sender, EventArgs e) 
{
    ParamUtils.WebParam.HashKey = ConfigurationManager.AppSettings["key"];
}

If you are too lazy to provide a HashKey value Wink | ;-) , don't worry, WebParam just uses the default value. Also, please take note that the HashKey value should not be changed between calls to Encode and GetQuery.

Encryption of the key values in the config file is not covered in this article; you can find some ideas on the following links:

Credits

This article includes ideas from some code snippets from the public domain. Some ideas also sparked from an article in 4guysfromrolla.

History

  • September 6, 2007 - Initial version.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

/randz
Software Developer (Senior)
United States United States
I am working as as a full-time Software Developer in Downtown DC Area
Follow on   Twitter

Comments and Discussions

 
QuestionLenght limitations? Pinmemberarslantik13-Sep-07 1:19 
AnswerRe: Length limitations? Pinmember/randz13-Sep-07 13:52 
GeneralWebRequest PinmemberFregate11-Sep-07 2:18 
GeneralRe: WebRequest Pinmember/randz11-Sep-07 14:26 
GeneralI love it! Pinmemberfredde_d11-Sep-07 1:49 
This is very useful.
 
Thanks!
General10 Pinmemberdomenech11-Sep-07 1:36 
GeneralGood Idea Pinmembermerlin9817-Sep-07 4:52 
QuestionCan you hide the query string? Pinmembertoticow6-Sep-07 23:02 
AnswerRe: Can you hide the query string? Pinmember/randz9-Sep-07 16:12 
GeneralHi! Pinmemberollli_janssen6-Sep-07 20:20 
GeneralRe: Hi! Pinmember/randz6-Sep-07 21:24 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.141030.1 | Last Updated 7 Sep 2007
Article Copyright 2007 by /randz
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid