ASP.NET - Query Strings - Client Side State Management

Continuing the tour in the ASP.NET client side state management our current stop is the query string technique. You can read my previous posts in the state management subject in the following links:

• Client side state management introduction
• ViewState technique
• Hidden fields technique

What are Query Strings?

Query strings are data that is appended to the end of a page URL. They are commonly used to hold data like page numbers or search terms or other data that isn't confidential. Unlike ViewState and hidden fields, the
user can see the values which the query string holds without using special operations like View Source.
An example of a query string can look like http://www.srl.co.il?a=1;b=2. Query strings are included in bookmarks and in URLs that you pass in an e-mail. They are the only way to save a page state when copying and pasting a URL.

The Query String Structure

As written earlier, query strings are appended to the end of a URL. First a question mark is appended to the URL's end and then every parameter that we want to hold in the query string. The parameters declare the parameter name followed by = symbol which followed by the data to hold. Every parameter is separated with the ampersand symbol.
You should always use the HttpUtility.UrlEncode method on the data itself before appending it.

Query String Limitations

You can use query string technique when passing from one page to another but that is all. If the first page need to pass non secure data to the other page it can build a URL with a query string and then redirect. You should always keep in mind that a query string isn't secure and therefore always validate the data you received. There are a few browser limitation when using query strings. For example, there are browsers that impose a length limitation
on the query string. Another limitation is that query strings are passed only in HTTP GET command.

How To Use Query Strings

When you need to use a query string data you do it in the following way:

string queryStringData = Request.QueryString["data"];

In the example I extract a data query string. The structure of the URL can look like url?data=somthing. After getting to data parameter  value you should validate it in order not to enable security breaches. The next example is a code to help inject a query string into a URL:

public string BuildQueryString(string url, NameValueCollection parameters){      StringBuilder sb = new StringBuilder(url);      sb.Append("?");      IEnumerator enumerator = parameters.GetEnumerator();      while (enumerator.MoveNext())      {         // get the current query parameter         string key = enumerator.Current.ToString();          // insert the parameter into the url         sb.Append(string.Format("{0}={1}&", key, HttpUtility.UrlEncode(parameters[key])));      }       // remove the last ampersand      sb.Remove(sb.Length - 1, 1);      return sb.ToString();   }

Summary

To sum up the post, query string is another ASP.NET client side state management technique. It is most helpful for page number state or search terms. The technique isn't secured so avoid using it with confidential data. In the next post in this series I'll explain the how to use cookies.