Click here to Skip to main content
Click here to Skip to main content

Encrypting Query Strings

, 13 Feb 2009 CPOL
Rate this:
Please Sign up or sign in to vote.
Encryption and decryption of Query Strings.

Introduction

We often pass values between pages in the form of a query string as key-value pairs. Query string is the easiest way and most widely practiced mechanism of transferring small pieces of data between web pages. I have observed and came across the problem with readable text/data being passed in the query string. The end-user may change the value in the query string to play around with the application, and at the same time, it leads to compromising the security and data integrity of the system.

Solution

I have worked on the problem, and developed a small code piece that encrypts and decrypts the query string with a specified key. So, the URL looks something like http://<Web Address>/Page2.aspx?Q5vcD9JTYpWVEowhCJ/PMAjkzatZ22ouiESQebrzyjx0IhRCEZigHp3YMVRwkAXD.

Using the code

In the sample application, I have developed two pages, Page1.aspx and Page2.aspx, apart from a class EncryptDecryptQueryString.cs for encryption and decryption.

Page1.aspx has three fields which the user fills in, and after the submission of the form, the values from the fields are sent across to Page2.aspx in the form of an encrypted query string. In Page2.aspx, the query string is decrypted, and the original values are retrieved to be shown in labels.

The important fact that I would like to mention is that a key is used to encrypt and decrypt the query string data.

The class - EncryptDecryptQueryString.cs

public class EncryptDecryptQueryString
{
    private byte[] key = { };
    private byte[] IV = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xab, 0xcd, 0xef };
    public string Decrypt(string stringToDecrypt, string sEncryptionKey)
    {
        byte[] inputByteArray = new byte[stringToDecrypt.Length + 1];
        try
        {
            key = System.Text.Encoding.UTF8.GetBytes(sEncryptionKey);
            DESCryptoServiceProvider des = new DESCryptoServiceProvider();
            inputByteArray = Convert.FromBase64String(stringToDecrypt);
            MemoryStream ms = new MemoryStream();
            CryptoStream cs = new CryptoStream(ms, 
              des.CreateDecryptor(key, IV), CryptoStreamMode.Write);
            cs.Write(inputByteArray, 0, inputByteArray.Length);
            cs.FlushFinalBlock();
            System.Text.Encoding encoding = System.Text.Encoding.UTF8;
            return encoding.GetString(ms.ToArray());
        }
        catch (Exception e)
        {
            return e.Message;
        }
    }

    public string Encrypt(string stringToEncrypt, string SEncryptionKey)
    {
        try
        {
            key = System.Text.Encoding.UTF8.GetBytes(SEncryptionKey);
            DESCryptoServiceProvider des = new DESCryptoServiceProvider();
            byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
            MemoryStream ms = new MemoryStream();
            CryptoStream cs = new CryptoStream(ms, 
              des.CreateEncryptor(key, IV), CryptoStreamMode.Write);
            cs.Write(inputByteArray, 0, inputByteArray.Length);
            cs.FlushFinalBlock();
            return Convert.ToBase64String(ms.ToArray());
        }
        catch (Exception e)
        {
            return e.Message;
        }
    } 
}

In the class above, you will find that there are two methods, one to encrypt and the other to decrypt. Please note that the methods accept the string to encrypt or decrypt apart from the key to perform the encryption or decryption operation. This key is to be kept secret, and the same key should be used to perform both the operations.

Page1.aspx: This page has got three fields. When the user fills in data and submits the button, the data from the fields are retrieved and encrypted, and send across to Page2.aspx. Here goes the code to do so:

protected void btnSubmit_Click(object sender, EventArgs e)
{
    string strName = "", strAge = "", strPhone = "";
    strName = txtName.Text;
    strAge = txtAge.Text;
    strPhone = txtPhone.Text;
    string strURL = "Page2.aspx?";
    if (HttpContext.Current != null)
    {
        string strURLWithData = strURL + 
          EncryptQueryString(string.Format("Name={0}&Age={1}&Phone={2}", 
          strName, strAge, strPhone));
        HttpContext.Current.Response.Redirect(strURLWithData);
    }
    else
    { }
}

public string EncryptQueryString(string strQueryString)
{
    EncryptDecryptQueryString objEDQueryString = new EncryptDecryptQueryString();
    return objEDQueryString.Encrypt(strQueryString, "r0b1nr0y");
}

Note in the above code snippet how the data is retrieved and encrypted using the key “r0b1nr0y”. You can use any key that is 8 characters in length for encryption, and use the same for decryption.

Page2.aspx: This page retrieves data from the URL, and decrypts the query string to get the original data. Here goes the code snipped to do so:

protected void Page_Load(object sender, EventArgs e)
{
    if (!IsPostBack)
    {
        string strReq = "";
        strReq = Request.RawUrl;
        strReq = strReq.Substring(strReq.IndexOf('?') + 1);

        if (!strReq.Equals(""))
        {
            strReq = DecryptQueryString(strReq);

            //Parse the value... this is done is very raw format..
            //you can add loops or so to get the values out of the query string...
            string[] arrMsgs = strReq.Split('&');
            string[] arrIndMsg;
            string strName = "", strAge = "", strPhone = "";
            arrIndMsg = arrMsgs[0].Split('='); //Get the Name
            strName = arrIndMsg[1].ToString().Trim();
            arrIndMsg = arrMsgs[1].Split('='); //Get the Age
            strAge = arrIndMsg[1].ToString().Trim();
            arrIndMsg = arrMsgs[2].Split('='); //Get the Phone
            strPhone = arrIndMsg[1].ToString().Trim();

            lblName.Text = strName;
            lblAge.Text = strAge;
            lblPhone.Text = strPhone;
        }
        else
        {
            Response.Redirect("Page1.aspx");
        }
    }
}

private string DecryptQueryString(string strQueryString)
{
    EncryptDecryptQueryString objEDQueryString = new EncryptDecryptQueryString();
    return objEDQueryString.Decrypt(strQueryString, "r0b1nr0y");
}

You can go through the attached project to get the entire solution and understand it better. Please note that the sample web application is developed using .NET 2008.

Conclusion

So, we now can send data using query strings in encrypted format and decrypt the same in the target page to get the original data. It will not be easy to tamper with the data in the query string, and hence the security and integrity of the application data is not compromised. Hope you enjoyed this article. Happy programming!!!

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Robin_Roy
Other Brilliance Information Sdn Bhd
Malaysia Malaysia
Working as a Senior Consultant with Brilliance MSC, Malaysia.
Love to evaluate new technologies and implement the same.
Believe in sharing knowledge.

Comments and Discussions

 
GeneralVery Good Pinmembermohsen_sepehri-e-rad18-Jan-14 5:29 
QuestionGood One Pinmembervenkatesun11-May-13 23:10 
GeneralMy vote of 5 Pinmembervenkatesun11-May-13 23:05 
GeneralMy vote of 4 PinmemberR koyee3-Apr-13 13:19 
QuestionData containing & and/or = characters breaks the code Pinmemberjason2k28-Feb-13 19:57 
GeneralMy vote of 5 PinmemberNilesh (Puna)28-Feb-13 3:01 
QuestionExcellent PinmemberMember 867993330-Jan-13 22:35 
QuestionUnable to have the decrypted string in the page 2 Pinmemberhisam118-Dec-12 2:31 
followed the same code.from page1 to page2 querystring is encrypted but unable to have the decryped srting in second page. Please help. Thanks.
GeneralGOOD JOB PinmemberJeslynElena4-Dec-12 19:18 
GeneralMy vote of 5 PinmemberMichael Haephrati מיכאל האפרתי3-Dec-12 5:18 
GeneralMy vote of 5 Pinmemberdhruti_desai1-Nov-12 3:22 
Questionhow to avoide generating + symbols in the Encrypted String PinmemberJaytirtha28-Sep-12 3:24 
QuestionQuestion PinmemberManuel_Perez_II13-Sep-11 23:06 
GeneralMy vote of 5 PinmemberRajendranK8-Aug-11 20:32 
Generalthx Pinmemberhamdynassar8-May-11 1:47 
GeneralMy vote of 4 Pinmemberwebcolin3-Mar-11 3:35 
GeneralExcellent PinmemberPranay Rana2-Jan-11 19:14 
GeneralMy vote of 4 Pinmemberswapnil5630-Dec-10 1:06 
GeneralSecure Utility Pinmemberthatraja15-Jan-10 21:20 
GeneralRe: Secure Utility PinmvpRobin_Roy17-Jan-10 15:58 
GeneralMy vote of 1 Pinmembernishit12320-Oct-09 19:48 
GeneralNice One and Very Useful Pinmemberrahulthecoder2-Sep-09 18:38 
GeneralRe: Nice One and Very Useful PinmemberRobin_Roy6-Sep-09 17:49 
GeneralPractical, Nice Pinmemberprithvidutta1-Sep-09 16:03 
GeneralRe: Practical, Nice PinmemberRobin_Roy6-Sep-09 17:48 
GeneralGood Article Pinmemberarvindcoolest10-Aug-09 17:16 
GeneralRe: Good Article PinmemberRobin_Roy17-Aug-09 15:47 
GeneralMy Vote of 5 Pinmemberbrown2010-Aug-09 16:42 
GeneralRe: My Vote of 5 PinmemberRobin_Roy17-Aug-09 15:47 
GeneralMy vote of 2 PinmemberMatt Palmer16-Feb-09 2:46 
GeneralConfidentiality != Integrity PinmemberMatt Palmer16-Feb-09 2:15 
GeneralRe: Confidentiality != Integrity PinmemberHaBiX17-May-11 22:57 
GeneralMy vote of 1 PinmemberQistoph15-Feb-09 20:26 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.141030.1 | Last Updated 13 Feb 2009
Article Copyright 2009 by Robin_Roy
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid