Click here to Skip to main content
13,352,408 members (60,933 online)
Click here to Skip to main content
Add your own
alternative version


42 bookmarked
Posted 6 Sep 2007

WebRequest Parameter Utility

, 6 Sep 2007
Rate this:
Please Sign up or sign in to vote.
A library used to encapsulate web request parameters to keep them from prying eyes and to prevent injection of unwanted data.


The WebParam class is used to encapsulate one or more web request parameters into a single request parameter. This class also provides security using message authentication to ensure that the transported data has not been tampered with during transport.

Normally, a web request with parameters looks like this:

In this example, use can change the value (since this is visible in the address bar of the web browser) of ID or name before actually performing the request. An additional precautionary measure will then be needed just to address this kind of situation.

Using the the ParamUtils.WebParam class, a web address will be displayed like this:

Any changes on the value of the parameter "data" will raise an exception, signifying that the data has been tampered. This eliminates the chance of tampering the data from the referring page before it is passed to the consumer page.

Using the Code

To use the code, add a reference to ParamUtils.dll on your web application project. This library contains the ParamUtils.WebParam class.

These are the two public methods that can be used in this class:

  • Encode(System.Web.UI.Pair[])
  • GetQuery(string, string)

The example below shows how to use the Encode method:

public partial class _Default : System.Web.UI.Page 
    protected void Page_Load(object sender, EventArgs e)
        if (!IsPostBack)
            hl.NavigateUrl = "Default2.aspx?data=" + 
            ParamUtils.WebParam.Encode(new Pair("id", "1234"), 
            new Pair("name", "jasmine"));

As you can see, the ParamUtils.WebParam.Encode method can accept zero or more Pair parameters. Please take note that the ParamUtils.WebParam.Encode class uses Pair.First to store the name of the request parameter and Pair.Second to store the value of the request parameter.

To retrieve the value of the request parameters passed through the ParamUtils.WebParam.Encode method, the method ParamUtils.WebParam.GetQuery will be used. See the example below:

public partial class Default2 : System.Web.UI.Page
    protected void Page_Load(object sender, EventArgs e)
        if (!IsPostBack)
                Response.Write("ID: " + 
                  Request.Params["data"].ToString(), "id") + "<br>");
                Response.Write("Name: " +
                  Request.Params["data"].ToString(), "name") + "<br>");
            catch (ArgumentException ex)
                Response.Write("Argument Exception caught: " + ex.Message);
            catch (Exception ex)
                Response.Write("General Exception caught: " + ex.Message);

ParamUtils.WebParam.GetQuery throws an ArgumentException when the query name is not found in the request parameter. It also throws a general Exception with the message "Invalid query string" when the data has been changed and/or corrupted during transport. This ensures that the data from the referring page is not modified before being passed to the consumer page.

Points of Interest

The WebParam class uses System.Security.Cryptography.MACTripleDES and System.Security.Cryptography.MD5CryptoServiceProvider to encode the request parameter values. The value of the Key property of MACTripleDES comes from the MD5 hash of a public property HashKey. You can specify the value of this key anywhere, as long as the assignment is done before the actual use of Encode and GetQuery. I suggest that you put it inside the global.asax inside Application_Start. See the sample below:

void Application_Start(object sender, EventArgs e) 
    ParamUtils.WebParam.HashKey = ConfigurationManager.AppSettings["key"];

If you are too lazy to provide a HashKey value ;-), don't worry, WebParam just uses the default value. Also, please take note that the HashKey value should not be changed between calls to Encode and GetQuery.

Encryption of the key values in the config file is not covered in this article; you can find some ideas on the following links:


This article includes ideas from some code snippets from the public domain. Some ideas also sparked from an article in 4guysfromrolla.


  • September 6, 2007 - Initial version.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Software Developer (Senior)
United States United States
I am working as as a full-time Software Developer in Downtown DC Area

You may also be interested in...

Comments and Discussions

QuestionLenght limitations? Pin
arslantik13-Sep-07 2:19
memberarslantik13-Sep-07 2:19 
AnswerRe: Length limitations? Pin
/randz13-Sep-07 14:52
member/randz13-Sep-07 14:52 
On your first question, yes, when you have too many pairs used, the query string will be long. But it is also the same when you are not using this class when passing too many request parameters. Imagine having
and so on. That is, the more parameters you pass, the longer your query string.

On your second question, yes, this supports all characters (even html tags) since the strings are UrlEncoded before using as request parameter and UrlDecoded when values are being retrieved. You can have something like this:
new Pair("paragraph", "<p>this is a & paragraph</p>")
as one of your Pair parameters, and you can retrieve the exact value when you call the ParamUtils.WebParam.GetQuery method. Care is needed when displaying values that contains html tags since they will be interpreted by the browser as legit html tags and will be processed as such.

Remember, your work is not yours alone. Somewhere, there are some codes written by others amongst us that depends on your work. By failing to see that you are part of their ecosystem, you are bound to break their code.

GeneralWebRequest Pin
Fregate11-Sep-07 3:18
memberFregate11-Sep-07 3:18 
GeneralRe: WebRequest Pin
/randz11-Sep-07 15:26
member/randz11-Sep-07 15:26 
GeneralI love it! Pin
fredde_d11-Sep-07 2:49
memberfredde_d11-Sep-07 2:49 
General10 Pin
domenech11-Sep-07 2:36
memberdomenech11-Sep-07 2:36 
GeneralGood Idea Pin
merlin9817-Sep-07 5:52
membermerlin9817-Sep-07 5:52 
QuestionCan you hide the query string? Pin
toticow7-Sep-07 0:02
membertoticow7-Sep-07 0:02 
AnswerRe: Can you hide the query string? Pin
/randz9-Sep-07 17:12
member/randz9-Sep-07 17:12 
GeneralHi! Pin
ollli_janssen6-Sep-07 21:20
memberollli_janssen6-Sep-07 21:20 
GeneralRe: Hi! Pin
/randz6-Sep-07 22:24
member/randz6-Sep-07 22:24 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.180111.1 | Last Updated 7 Sep 2007
Article Copyright 2007 by /randz
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid