Introduction
The WebParam
class is used to encapsulate one or more web request parameters into a single request parameter. This class also provides security using message authentication to ensure that the transported data has not been tampered with during transport.
Normally, a web request with parameters looks like this:
www.mydomain.com/myweb/page.aspx?ID=1234&name=jasmine
In this example, use can change the value (since this is visible in the address bar of the web browser) of ID
or name
before actually performing the request. An additional precautionary measure will then be needed just to address this kind of situation.
Using the the ParamUtils.WebParam
class, a web address will be displayed like this:
www.mydomain.com/myweb/page.aspx?data=JmlkPTEyMzQmbmFtZT1yYW5keg%3d%3d-t0j9KL4WQHs%3d
Any changes on the value of the parameter "data
" will raise an exception, signifying that the data has been tampered. This eliminates the chance of tampering the data from the referring page before it is passed to the consumer page.
Using the Code
To use the code, add a reference to ParamUtils.dll on your web application project. This library contains the ParamUtils.WebParam
class.
These are the two public methods that can be used in this class:
Encode(System.Web.UI.Pair[])
GetQuery(string, string)
The example below shows how to use the Encode
method:
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
hl.NavigateUrl = "Default2.aspx?data=" +
ParamUtils.WebParam.Encode(new Pair("id", "1234"),
new Pair("name", "jasmine"));
}
}
As you can see, the ParamUtils.WebParam.Encode
method can accept zero or more Pair
parameters. Please take note that the ParamUtils.WebParam.Encode
class uses Pair.First
to store the name of the request parameter and Pair.Second
to store the value of the request parameter.
To retrieve the value of the request parameters passed through the ParamUtils.WebParam.Encode
method, the method ParamUtils.WebParam.GetQuery
will be used. See the example below:
public partial class Default2 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
try
{
Response.Write("ID: " +
ParamUtils.WebParam.GetQuery(
Request.Params["data"].ToString(), "id") + "<br>");
Response.Write("Name: " +
ParamUtils.WebParam.GetQuery(
Request.Params["data"].ToString(), "name") + "<br>");
}
catch (ArgumentException ex)
{
Response.Write("Argument Exception caught: " + ex.Message);
}
catch (Exception ex)
{
Response.Write("General Exception caught: " + ex.Message);
}
}
}
}
ParamUtils.WebParam.GetQuery
throws an ArgumentException
when the query name is not found in the request parameter. It also throws a general Exception
with the message "Invalid query string" when the data has been changed and/or corrupted during transport. This ensures that the data from the referring page is not modified before being passed to the consumer page.
Points of Interest
The WebParam
class uses System.Security.Cryptography.MACTripleDES
and System.Security.Cryptography.MD5CryptoServiceProvider
to encode the request parameter values. The value of the Key
property of MACTripleDES
comes from the MD5 hash of a public property HashKey
. You can specify the value of this key anywhere, as long as the assignment is done before the actual use of Encode
and GetQuery
. I suggest that you put it inside the global.asax inside Application_Start
. See the sample below:
void Application_Start(object sender, EventArgs e)
{
ParamUtils.WebParam.HashKey = ConfigurationManager.AppSettings["key"];
}
If you are too lazy to provide a HashKey
value ;-), don't worry, WebParam
just uses the default value. Also, please take note that the HashKey
value should not be changed between calls to Encode
and GetQuery
.
Encryption of the key values in the config file is not covered in this article; you can find some ideas on the following links:
Credits
This article includes ideas from some code snippets from the public domain. Some ideas also sparked from an article in 4guysfromrolla.
History
- September 6, 2007 - Initial version.