URL parameters or query strings are often used to carry information that can be used by hackers to do identity theft or other unpleasant things. Consider the URL example.com/?user=123&account=456 and then imaging what a hacker could do with it. Security or not, sometimes you just don’t want the visitors to see all the query strings for whatever reason.

In those cases it would be nice if we could encrypt the entire query string so it wouldn’t carry any readable information. The problem with one big encrypted query string is that we would break all the code that referenced the query. Code like Request.QueryString["user"] would no longer work, but as usual ASP.NET has the answer to that problem.

What we need is an HttpModule that can turn the encrypted query string into a normal readable one, so that we can still use our old logic like Request.QueryString["user"]. In other words, we want the user to see this

?enc=VXzal017xHwKKPolDWQJoLACDqQ0fE//wGkgvRTdG/GgXIBDd1

while your code sees this

?user=123&account=456.

The HttpModule

The module we need for this task must be able to do a few simple things. It must be able to encrypt the regular query string so that all your current links will automatically be encrypted. It must also be able to decrypt it again so that you can write the code as you normally would. It must also provide a method for encrypting a regular query string if you don’t want to use automatic encryption.

The most important feature of the module is to make it totally plug ‘n play. You should be able to apply the module to any existing website and automatically have query string encryption and decryption without changing any of your code.

Implementation

Download the QueryStringModule.cs below and put it in the App_Code folder of your website. Then add the following lines to the web.config’s <system.web> section:

< httpModules >

  < add type = " QueryStringModule " name = " QueryStringModule " />

</ httpModules >

Because automatic encryption is not always desirable the module has a comment that tells you how to turn it off. The module is well commented and should be easy to modify for any ASP.NET developer.

Example

You can encrypt query strings by using the Encrypt() method of the module from any web page or user control.

string query = QueryStringModule .Encrypt( "user=123&account=456" );

Then just add the encrypted query string to the links that need encryption. You don't need to use the method if you use automatic encryption.

Download

QueryStringModule.zip (1,55 KB)

Whenever you use a Button or LinkButton it is because you want to be able to do a postback when it is clicked. The same could be the case for CheckBox or DropDownList etc. but then you need to set the AutoPostback property to true. It all works very much the same way from a user’s point of view - click or select and the page performs a postback.

However, in some cases you want to be able to do a postback from a custom JavaScript function that emulates the click of an e.g. LinkButton. That is very simple to do so, but did you know that you also can send custom information via such a postback?

Example

The following LinkButton calls the server-side event handler OnSaveClick.

<asp:LinkButton runat="Server" ID="btnSave" Text="Save" OnClick="OnSaveClick" />

This is pretty much standard and no tricks have been used so far. Now we need the JavaScript method that forces the LinkButton to do a postback that calls the server-side method OnSaveClick.

<script type="text/javascript">

function SaveWithParameter(parameter)

{

  __doPostBack('btnSave ', parameter)

}

</script>

Notice that the function takes a parameter that it sends to the __doPostBack function. All we need to do now is to call the SaveWithParamter function from JavaScript.

>

SaveWithParameter("Hello world!");

Now the page performs a postback and we can now access the “Hello world!” string that we sent as a parameter from within the OnSaveClick event handler.

protected void OnSaveClick(object sender, EventArgs e)

{

  string parameter = Request["__EVENTARGUMENT"];

}

What we just did was to perform a postback from a custom JavaScript function and send a parameter to the server-side event handler. It sounds a lot harder than it is, right?

>

In ASP.NET 2.0 you have to set the EnableEventValidation="false" attribute in the page declaration or in web.config to make it work.