Request.Querystring removes characters from encrypted text - asp.net

In my application I take a user's e-mail address, encrypt it, and URLEncode it, and pass it along into a QueryString.
email = Server.UrlEncode(aes.Encrypt(email));
The landing page does a Request.Querystring["email"], UrlDecodes it, and then decrypts it.
string email = Server.UrlDecode(Request.QueryString["eId"]);
string decemail = aes.Decrypt(email);
return decemail;
Very strange behavior was happening where a "+" character was being removed and therefore the decryption was failing.
I attempted to remove the UrlDecode, but that didn't solve the problem.
What solved the problem was doing this:
string email = Request.QueryString["eId"].ToString();
string decemail = aes.Decrypt(email);
return decemail;
Getting rid of UrlDecode, and calling a ToString() on the querystring.
Does anyone know why this would happen? Does Request.QueryString call urlDecode by default? I don't think it does.
Also, why would doing the .ToString() work in this instance?

Yep Correct. Request.QueryString actually returns string that has already been url decoded.
Sources:
http://www.codeproject.com/KB/custom-controls/antiauto.aspx?msg=1475521
http://www.kamath.com/codelibrary/cl006_url.asp

Related

Query String Returning Different Values to that of the actual in the url

http://localhost:1079/BattleSimulator.aspx?userID=Unregistered_User&Troops=1111%1111%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0!1111%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0&Research=10%10%10%10%10%10%0!10%10%10%10%10%10%0&Sanctuary=0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0!0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0&Inventory=False%False%False%False%False%False!False%False%False%False%False%False&other=5!0&RNG=0&Dragons=-1%-1%-1%-1!-1%-1%-1%-1&BattleArts=0%0%0!0%0%0&Kaizer=2310000%1510000%0%15867000%910000%875!5011000%2810000%3158%182972948%2810000%803
^ this is the original Query Passed onto server,
But this is parsed on a very different way on the server
Ex:
http://prntscr.com/3h90fs
http://prntscr.com/3h90o2
the string returned from
Extention.QueryString("Troops")
is "111111%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0!1111%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0"
Why is this happening ? is it a bug ?
There are many chars that are reserved and can't be used in querystring. % is one of those.
You have to Encode a string to be shure that it will be properly decoded to the same string in the server.
In C# this can be done this way:
HttpContext.Current.Server.UrlEncode(destinationURL);
Why is this happening ?
Because added any(some) spaces(White Character ) between your values.
is it a bug ?
Nope. It's not a bug .
Solution.
You need use Trim() or remove Empty values by using Replace(" ","") in your query string values before send query string
See this links
Get Query String value containing spaces
Passing in a querystring with a space?
http://blogfornet.com/tag/how-to-use-space-in-url-query-string/
Request.QueryString giving me space instead of + sign

how to decode QUrlnfo.name()?

I received the following QUrlInfo string from QFtp::listInfo(QUrlInfo) and the correct URL fragment is actually set to ©®§µ here in a test.
But QUrlInfo.name() returns a String containing ©®§µ. I realize I must encode it somehow, but how do I do that?
This should work:
QString::fromUtf8(info.name().toAscii());

What is the use of =? in links?

I saw my friend doing some Web Development, and one of his code caught my attention is the Response.Redirect.
What is the use of Home?=, isn't it the LogIn.aspx is the name of the page how come it's still redirecting if it has Home?=. Can someone answer this question of mine please, and explain it very well.
String url = "LogIn.aspx?Home?=" + Username;
Response.Redirect(url);
Update
Working from all your comments, the answer is: The query string parameter name (key) is actually "Home?", not just "Home". Details (including why the code generating that is technically incorrect) below.
how come it's still redirecting if it has Home?=?
Because there's no reason it shouldn't redirect. Granted the URL is invalid (? is a reserved character, it cannot appear unencoded in the query string, so the second ? in the URL is incorrect), but browsers are pretty content to deal with invalid URLs.
Separately, unless Username has already been URL-encoded, the URL could have other errors depending on the content of Username. (All query string parameters must be URL-encoded, in .Net you do that with HttpUtility.UrlEncode.)
Re your comment:
what i mean is i don't know why he use Home?= and what is the use of it
It has no use, it's an error. He probably just meant (no, apparently not, see below after your next comment)
String url = "LogIn.aspx?Home=" + Username;
...which would more correctly be:
String url = "LogIn.aspx?Home=" + HttpUtility.UrlEncode(Username);
(Technically, you have to URL-encode both the keys and values [both "Home" and Username], but the URL-encoded form of "Home" is "Home", so we can get away without making the call for the key. Not true if the key needs to have any of the URL reserved characters in it.)
Re your further comment consisting entirely of this code:
string retrieveValue;
protected void Page_Load(object sender, EventArgs e) {
this.lblUsername.Text = Request.QueryString["Home?";
retrieveValue = this.lblUsername.Text;
}
Assuming the syntax error in the above is fixed (missing ] on line 3), it would appear that he's actually using "Home?" as a key (parameter name). That means the redirect should be:
String url = "LogIn.aspx?" + HttpUtility.UrlEncode("Home?") + "=" + HttpUtility.UrlEncode(Username);
...because the key has a reserved character in it (?). Because that will be decoded for you on receipt, that should make the code above work.
Note that most browsers will probably let you get away with the string as he specified it. It's incorrect, but in a way browsers probably allow.
Regardless of the errors that T.J covered, what he meant to do was load the page LogIn.aspx with the variable "Home" being set to the visitors username. This allows the page to "GET" the variable and use it. Its basically a way of sending data from one page to another.

asp.Net + encrypted QueryString requested not reading '+' sign

I have an encrypted query string passed from another page, it reads something like "/se73j+sef" but after receiving it, the '+' sign got omitted and became "/se73j sef". Is this normal? Please kindly advice. Thanks.
Is this normal?
Yes, perfectly normal. + is a special character in an url. It means space (0x20 ASCII character). If you want to represent the + sign you will have to url encode it:
/se73j%2Bsef
To url encode a string in .NET you could use the UrlEncode method. Or depending on how you are building the url there are certainly better ways.

Issue with sending Base64 encoded query string in aASP.Net

I am creating a web site in .Net 3.5 , I am converting the string into Base64String to send it through querystring. The Response.Redirect works fine for smaller string. But if the original string size is 1670, the response.redirect results in error "Page can not be found".
item is the string in below code snippet.
byte[] data = Encoding.Default.GetBytes(item);
return Convert.ToBase64String(data)
Can any one please help in resolving this?
A query string shouldn't be used for long values - while it depends on the browser and web server exactly what the maximum safe length is, it's certainly not safe above about 2000 characters, and I'd be wary about relying on it above 255. The solution is to use a POST request instead, or possibly to save the data on the server and pass a key to it in the query string.
There is a limit on characters sent as a query string - it varies from browser to browser:
http://support.microsoft.com/kb/q208427/
I'd save it to a DB and retrieve it on the other end with a key.

Resources