Click here to Skip to main content
15,892,674 members
Search within:


Articles / Web Development / ASP.NET
 

Tamper Proof Query String

Rate me:
Please Sign up or sign in to vote.
4.18/5 (20 votes)
22 Feb 2005CPOL3 min read 195.5K   1.1K   65  
Shows how to prevent/detect that string data was changed.
 
<%@ Page Language="VB" %>
<script runat="server">

    'Could be read from web.config
	Private TamperProofKey As String = "YourUglyRandomKeyLike-lkj54923c478"
	'or ... TamperProofKey As String = ConfigurationSettings.AppSettings("TamperProofKey")

	Sub Page_Load(ByVal source As Object, ByVal e As EventArgs)

		If Not IsPostBack() Then
			'Redirect to same page is not a post back

			'Default value if data is not in query string
			Dim DataString As String = "!!No data passed!!"
			
			If Request.QueryString("Data") IsNot Nothing Then

				Try
					'Decode the query string data
					DataString = TamperProofStringDecode(Request.QueryString("Data"), TamperProofKey)

					'Or with simplified helper function
					'DataString = QueryStringDecode(Request.QueryString("Data"))


				Catch ex As Exception
					'Data was tampered with.
					DataString = "!!Data was corrupt!!"
				End Try

			End If

			'Show data on web page
			ShowData.Text = DataString
		End If
	End Sub

    Sub Submit_Click(source as object, e as eventargs)
        'Redirect to this page with the data from InputData

        Response.Redirect("TamperProofQueryString.aspx?Data=" & HttpUtility.UrlEncode(TamperProofStringEncode(InputData.Text, TamperProofKey)))
        ' or use simplified helper funtion ...........?Data=" & QueryStringEncode(InputData.Text)))
    End Sub
	
	
	

    'Function to encode the string
    Function TamperProofStringEncode(ByVal value As String, ByVal key As String) As String
        Dim mac3des As New System.Security.Cryptography.MACTripleDES()
        Dim md5 As New System.Security.Cryptography.MD5CryptoServiceProvider()
        mac3des.Key = md5.ComputeHash(System.Text.Encoding.UTF8.GetBytes(key))
        Return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(value)) & "-"c & Convert.ToBase64String(mac3des.ComputeHash(System.Text.Encoding.UTF8.GetBytes(value)))
    End Function

    'Function to decode the string
    'Throws an exception if the data is corrupt
    Function TamperProofStringDecode(ByVal value As String, ByVal key As String) As String
        Dim dataValue As String = ""
        Dim calcHash As String = ""
        Dim storedHash As String = ""

        Dim mac3des As New System.Security.Cryptography.MACTripleDES()
        Dim md5 As New System.Security.Cryptography.MD5CryptoServiceProvider()
        mac3des.Key = md5.ComputeHash(System.Text.Encoding.UTF8.GetBytes(key))

        Try
            dataValue = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(value.Split("-"c)(0)))
            storedHash = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(value.Split("-"c)(1)))
            calcHash = System.Text.Encoding.UTF8.GetString(mac3des.ComputeHash(System.Text.Encoding.UTF8.GetBytes(dataValue)))

            If storedHash <> calcHash Then
                'Data was corrupted

                Throw New ArgumentException("Hash value does not match")
                'This error is immediately caught below
            End If
        Catch ex As Exception
            Throw New ArgumentException("Invalid TamperProofString")
        End Try

        Return dataValue

    End Function

   'Two helper functions to make things easier.
	Function QueryStringEncode(ByVal value As String) As String
		Return HttpUtility.UrlEncode(TamperProofStringEncode(value, TamperProofKey))
	End Function

    Function QueryStringDecode(ByVal value As String) As String
        Return TamperProofStringDecode(value, TamperProofKey)
    End Function


</script>
<html>
<head>
</head>
<body>
    <form runat="server">
        <b>Data received from query string:</b>
        <br />
        <asp:TextBox id="ShowData" runat="server" ReadOnly="True" TextMode="MultiLine" Rows="2" Columns="80"></asp:TextBox>
        <br />
        <br />
        <b>Enter data to be transmitted by query string:</b>
        <br />
        <asp:TextBox id="InputData" runat="server" Text="Test Data"></asp:TextBox>
        <asp:Button id="Submit" onclick="Submit_Click" runat="server" Text="Submit"></asp:Button>
        <br />
        <br />
        <!-- how to use as hyperlink -->
        <a href='TamperProofQueryString.aspx?Data=<%= HttpUtility.UrlEncode(TamperProofStringEncode("This data was stored in the hyperlink.", TamperProofKey)) %>'>HyperLink With Predefined Data</a><br/>
        <a href='TamperProofQueryString.aspx?Data=<%= QueryStringEncode("Different set of data. Using helper function.") %>'>HyperLink With Predefined Data (using helper function)</a>
    </form>
</body>
</html>

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
DanielHac
Web Developer
United States United States
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 6 Feb 2005

Article Copyright 2005 by DanielHac
Everything else Copyright © CodeProject, 1999-2024

Web02 2.8:2024-04-02:1