How to Encode/Decode (URL Encode) QueryString in ASP.NET?


Method 1:


HttpModule for query string encryption

URL parameters or query strings are often used to carry information that can be used by hackers to do identity theft or other unpleasant things. Consider the URL example.com/?user=123&account=456 and then imaging what a hacker could do with it. Security or not, sometimes you just don’t want the visitors to see all the query strings for whatever reason.

In those cases it would be nice if we could encrypt the entire query string so it wouldn’t carry any readable information. The problem with one big encrypted query string is that we would break all the code that referenced the query. Code like Request.QueryString[“user”] would no longer work, but as usual ASP.NET has the answer to that problem.

What we need is an HttpModule that can turn the encrypted query string into a normal readable one, so that we can still use our old logic like Request.QueryString[“user”]. In other words, we want the user to see this

?enc=VXzal017xHwKKPolDWQJoLACDqQ0fE//wGkgvRTdG/GgXIBDd1

while your code sees this

?user=123&account=456.

The HttpModule

The module we need for this task must be able to do a few simple things. It must be able to encrypt the regular query string so that all your current links will automatically be encrypted. It must also be able to decrypt it again so that you can write the code as you normally would. It must also provide a method for encrypting a regular query string if you don’t want to use automatic encryption.

The most important feature of the module is to make it totally plug ‘n play. You should be able to apply the module to any existing website and automatically have query string encryption and decryption without changing any of your code.

Implementation

Download the QueryStringModule.cs below and put it in the App_Code folder of your website. Then add the following lines to the web.config’s <system.web> section:

< httpModules >

< add type = QueryStringModule name = QueryStringModule />

</ httpModules >

Because automatic encryption is not always desirable the module has a comment that tells you how to turn it off. The module is well commented and should be easy to modify for any ASP.NET developer.

Example

You can encrypt query strings by using the Encrypt() method of the module from any web page or user control.

string query = QueryStringModule .Encrypt( “user=123&account=456” );

Then just add the encrypted query string to the links that need encryption. You don’t need to use the method if you use automatic encryption.

Source:
http://madskristensen.net/post/HttpModule-for-query-string-encryption.aspx
Method 2:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web.Security;
using System.Security.Cryptography;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.IO;
public class EncryptDecryptQueryString
{
private byte[] key = { };
private byte[] IV = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xab, 0xcd, 0xef };

public string Decrypt(string stringToDecrypt, string sEncryptionKey)
{
byte[] inputByteArray = new byte[stringToDecrypt.Length + 1];
try

{

key = System.Text.Encoding.UTF8.GetBytes(sEncryptionKey);
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
inputByteArray = Convert.FromBase64String(stringToDecrypt);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
System.Text.Encoding encoding = System.Text.Encoding.UTF8;
return encoding.GetString(ms.ToArray());
}
catch (Exception e)
{
return e.Message;
}
}

public string Encrypt(string stringToEncrypt, string SEncryptionKey)
{
try
{
key = System.Text.Encoding.UTF8.GetBytes(SEncryptionKey);
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, IV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
return Convert.ToBase64String(ms.ToArray());
}
catch (Exception e)
{
return e.Message;
}
}

public string EncryptQueryString(string strQueryString)
{
EncryptDecryptQueryString objEDQueryString = new EncryptDecryptQueryString();
return objEDQueryString.Encrypt(strQueryString, “r0b1nr0y”);
//return objEDQueryString.Encrypt(strQueryString, “shekhar1”);
}

/*
How to use
protected void btnSubmit_Click(object sender, EventArgs e)
{
string strName = “”, strAge = “”, strPhone = “”;
strName = txtName.Text;
strAge = txtAge.Text;
strPhone = txtPhone.Text;

string strURL = “Page2.aspx?”;
if (HttpContext.Current != null)
{
string strURLWithData = strURL + enqs.EncryptQueryString(string.Format(“Name={0}&Age={1}&Phone={2}”, strName, strAge, strPhone));
HttpContext.Current.Response.Redirect(strURLWithData);
}
else
{

}
}
*/
}

Other Encoding Samples Here:
http://makhaai.blogspot.co.uk/2010/04/encrypt-and-decript-string-aspnet.html
http://forums.asp.net/t/1808922.aspx/1
http://forums.asp.net/t/1822100.aspx/1?How+to+Encrypt+and+Decrypt+url+in+ASP+NET+Website
http://weblogs.asp.net/scottgu/archive/2007/02/26/tip-trick-url-rewriting-with-asp-net.aspx
http://stackoverflow.com/questions/10239410/reading-encoded-url-in-asp-net-code-behind

Advertisements

2 thoughts on “How to Encode/Decode (URL Encode) QueryString in ASP.NET?

  1. Pingback: How to Encode/Decode (URL Encode) QueryString in ASP.NET? | Shekhar Shete MCTS « My Story

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s