ASP.NET Client Side State Management – Query Strings
Continuing the tour in the ASP.NET client side state management our
current stop is the query string technique.
You can read my previous posts in the state management subject in
the following links:
What are Query Strings?
Query strings are data that is appended to the end of a page URL.
They are commonly used to hold data like page numbers or search terms
or other data that isn’t confidential. Unlike ViewState and hidden fields, the
user can see the values which the query string holds without using special
operations like View Source.
An example of a query string can look like http://www.srl.co.il?a=1;b=2.
Query strings are included in bookmarks and in URLs that you pass in
an e-mail. They are the only way to save a page state when copying
and pasting a URL.
The Query String Structure
As written earlier, query strings are appended to the end of a URL.
First a question mark is appended to the URL’s end and then every
parameter that we want to hold in the query string. The parameters
declare the parameter name followed by = symbol which followed by the
data to hold. Every parameter is separated with the ampersand symbol.
You should always use the HttpUtility.UrlEncode method on the data
itself before appending it.
Query String Limitations
You can use query string technique when passing from one page to
another but that is all. If the first page need to pass non secure data to
the other page it can build a URL with a query string and then redirect.
You should always keep in mind that a query string isn’t secure and
therefore always validate the data you received.
There are a few browser limitation when using query strings.
For example, there are browsers that impose a length limitation
on the query string. Another limitation is that query strings are passed
only in HTTP GET command.
How To Use Query Strings
When you need to use a query string data you do it in the following way:
string queryStringData = Request.QueryString[“data”];
In the example I extract a data query string. The structure of the
URL can look like url?data=somthing. After getting to data parameter
value you should validate it in order not to enable security breaches.
The next example is a code to help inject a query string into a URL:
public string BuildQueryString(string url, NameValueCollection parameters)
StringBuilder sb = new StringBuilder(url);
IEnumerator enumerator = parameters.GetEnumerator();
// get the current query parameter
string key = enumerator.Current.ToString();
// insert the parameter into the url
// remove the last ampersand
sb.Remove(sb.Length – 1, 1);
To sum up the post, query string is another ASP.NET client side state
management technique. It is most helpful for page number state or
search terms. The technique isn’t secured so avoid using it with confidential