Prajwal Tuladhar’s Blog
 
programming, life and some random thoughts

Nov 11 2008

Parsing query string in ASP.NET safely

Published by Prajwal Tuladhar under ASP.NET, C#

Both of the code behind languages for ASP.NET (C# or Visual Basic.NET) are statically typed languages. So, the type checking operation is performed during the compiled time unlike during the run-time for dynamically typed languages like PHP, Perl, Python, Ruby and so on. This make a-bit difficult to validate and parse the query string for ASP.NET pages. All the ASP.NET query string are treated as a String by default. Parsing needs to be performed in order to get appropriate data types.

For instance lets take a URL: http://somedomain.com/Default.aspx?QueryStringInt=2

It has a single query string named QueryStingInt which is expected to have data type Int32. In a default scenario it would be enough to change the query string to an integer type by

Int32.Parse(Request.QueryString["QueryStringInt"]);

But what if someone just manipulated the URL like: http://somedomain.com/Default.aspx?QueryStringInt=a

There would be error.

This condition can be avoided by using a simple technique. Consider the code below:


    private int _queryStringInt;
    public int? QueryStringInt
    {
        get
        {
            return (int.TryParse(Request.QueryString["QueryStringInt"], out _queryStringInt))
                ? int.Parse(Request.QueryString["QueryStringInt"]) : 0;
        }
    }

    private string _queryStringDefault;
    public string QueryStringDefault
    {
        get
        {
            return (Request.QueryString["QueryStringDefault"] == null || Request.QueryString["QueryStringDefault"] == "")
                ? "" : Request.QueryString["QueryStringDefault"];
        }
    }

    private Guid _queryStringGuid;
    public Guid QueryStringGuid
    {
        get
        {
            try
            {
                _queryStringGuid = new Guid(Request.QueryString["QueryStringGuid"]);
            }
            catch (FormatException)
            {
                _queryStringGuid = new Guid("00000000000000000000000000000000");
            }
            catch (ArgumentNullException)
            {
                _queryStringGuid = new Guid("00000000000000000000000000000000");
            }
            catch (OverflowException)
            {
                _queryStringGuid = new Guid("00000000000000000000000000000000");
            }
            return _queryStringGuid;
        }
    }

    protected void Page_Load(object sender, EventArgs e)
    {
        //_queryStringInt = (int.TryParse())
        Response.Write(QueryStringInt + "<br/>");
        Response.Write(QueryStringDefault + "<br/>");
        Response.Write(QueryStringGuid + "<br/>");
    }

If the query string is not of the expected data type then there would not be error rather a default value can be assigned in those situation.

Invalid Type Query Strings

Query String Values:

Valid Type Query Strings

Query String Values:

Technorati Tags: ,,,
[del.icio.us] [Digg] [DotNetKicks] [Facebook] [Google] [MySpace] [Reddit] [Slashdot] [StumbleUpon] [Technorati] [Twitter] [Windows Live] [Yahoo!] [Email]
Powered by Bookmarkify™

No responses yet

Jul 18 2008

ASP.NET MVC Preview 4 Released

Published by Prajwal Tuladhar under .NET, Links

Microsoft has released ASP.NET MVC Preview 4. It has one of the most awaited release since, Microsoft’s first attempt to make MVC based framework (not Web Forms). It can be downloaded from Codeplex.

Useful Links:

[del.icio.us] [Digg] [DotNetKicks] [Facebook] [Google] [MySpace] [Reddit] [Slashdot] [StumbleUpon] [Technorati] [Twitter] [Windows Live] [Yahoo!] [Email]
Powered by Bookmarkify™

No responses yet

RSS Feed

Related Posts


follow infynyxx at http://twitter.com