Prajwal Tuladhar’s Blog
 
programming, life and some random thoughts

Nov 11 2008

Parsing query string in ASP.NET safely

Published by Prajwal Tuladhar at 9:19 pm under ASP.NET, C#

Both of the code behind languages for ASP.NET (C# or Visual Basic.NET) are statically typed languages. So, the type checking operation is performed during the compiled time unlike during the run-time for dynamically typed languages like PHP, Perl, Python, Ruby and so on. This make a-bit difficult to validate and parse the query string for ASP.NET pages. All the ASP.NET query string are treated as a String by default. Parsing needs to be performed in order to get appropriate data types.

For instance lets take a URL: http://somedomain.com/Default.aspx?QueryStringInt=2

It has a single query string named QueryStingInt which is expected to have data type Int32. In a default scenario it would be enough to change the query string to an integer type by

Int32.Parse(Request.QueryString["QueryStringInt"]);

But what if someone just manipulated the URL like: http://somedomain.com/Default.aspx?QueryStringInt=a

There would be error.

This condition can be avoided by using a simple technique. Consider the code below:


    private int _queryStringInt;
    public int? QueryStringInt
    {
        get
        {
            return (int.TryParse(Request.QueryString["QueryStringInt"], out _queryStringInt))
                ? int.Parse(Request.QueryString["QueryStringInt"]) : 0;
        }
    }

    private string _queryStringDefault;
    public string QueryStringDefault
    {
        get
        {
            return (Request.QueryString["QueryStringDefault"] == null || Request.QueryString["QueryStringDefault"] == "")
                ? "" : Request.QueryString["QueryStringDefault"];
        }
    }

    private Guid _queryStringGuid;
    public Guid QueryStringGuid
    {
        get
        {
            try
            {
                _queryStringGuid = new Guid(Request.QueryString["QueryStringGuid"]);
            }
            catch (FormatException)
            {
                _queryStringGuid = new Guid("00000000000000000000000000000000");
            }
            catch (ArgumentNullException)
            {
                _queryStringGuid = new Guid("00000000000000000000000000000000");
            }
            catch (OverflowException)
            {
                _queryStringGuid = new Guid("00000000000000000000000000000000");
            }
            return _queryStringGuid;
        }
    }

    protected void Page_Load(object sender, EventArgs e)
    {
        //_queryStringInt = (int.TryParse())
        Response.Write(QueryStringInt + "<br/>");
        Response.Write(QueryStringDefault + "<br/>");
        Response.Write(QueryStringGuid + "<br/>");
    }

If the query string is not of the expected data type then there would not be error rather a default value can be assigned in those situation.

Invalid Type Query Strings

Query String Values:

Valid Type Query Strings

Query String Values:

Technorati Tags: ,,,

 

Trackbacks

(Trackback URL)

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus

RSS Feed
Subscribe by email
Follow me @ Twitter