May 7, 2009

Pass Values Using Query Strings

Query string is a common way to transfer values from one page to another or to store it in the page URL. The query string values are stored in the form of strings and are appended to the URL. A typical query string will http://shahed-kazi.blogspot.com/index.html?country=australia .

The browser understands the filename to be index.html and anything characters after the "?" as the query string. In this example, there is one query string with key country and value australia. Multiple values can be added to the URL like http://shahed-kazi.blogspot.com/index.html?firstname=shahed&city=sydney .
Here, there are 2 query strings country with value australia and city with value sydney. The query string value are separated with a "&".

One of the disadvantage of using query strings is that the values and the variable names are visible to the user. Also, a user can easily change the value of the variables and construct a different url. Therefore, sensitive information cannot be passed on page to another using this method.

Another disadvantage is that there is a limitation on the number of characters in a URL. The limit is 2083 characters. Therefore, large amount of data cannot be passed using query strings technique.

Sensitive information should not be stored in the query strings. For example, if we run a call in the database based on the data on the query string - a user can easily modify the URL and run a query that will hang the site. Also, if we are updating the data source based on a query string - a user modifying the query string may result in updating the data source with invalid data. That's
why it is important to validate the data.

Now, I will create an example page with 2 TextBox controls, create a URL with the textbox values and display the values in a second page.

First Page:

<form id="form1" runat="server">

<div>

First Name:<asp:TextBox ID="FirstNameTextBox" runat="server"></asp:TextBox><br />

Last Name: <asp:TextBox ID="LastNameTextBox" runat="server"></asp:TextBox><br />

<asp:ButtonID="Button1" runat="server" Text="Continue" onclick="Button1_Click" />

</div>

</form>

In code-behind, Button1 onclick event,

string firstname = FirstNameTextBox.Text;

string lastname = LastNameTextBox.Text;

Response.Redirect("page2.aspx?firstname=" + firstname + "&lastname=" + lastname);

page2.aspx looks like below,

<form id="form1" runat="server">

<div>

First Name : <asp:Label ID="FirstNameLabel" runat="server" Text=""></asp:Label><br
/>

Last Name: <asp:Label ID="LastNameLabel" runat="server" Text=""></asp:Label>

</div>

</form>

In this page, the label controls will be populated with values from the query string.

In Page_Load method in code-behind page,

protected void Page_Load(object sender, EventArgs e)

{

FirstNameLabel.Text = Server.HtmlEncode(Request.QueryString["firstname"]);

LastNameLabel.Text = Server.HtmlEncode(Request.QueryString["lastname"]);

}

The page will now show the values in the Label controls as in the query strings.

Also, note that I have encoded the string using Server.HtmlEncode. This method will automatically convert all the html characters into not html characters.

To use special characters like "&" in the query string, use the UrlEncode method of the Server class. For example, use the url like

string url = "http://shahed-kazi.blogspot.com/2009/05/pass-values-using-query-strings.html?id=" + Server.UrlEncode("hello & world");

When viewed in the browser, the URL will be automatically converted to http://shahed-kazi.blogspot.com/2009/05/pass-values-using-query-strings.html?id=hello+%26+world

2 comments:

Anonymous said...

This does not work and I also tried different variations based on your suggestions but the form will not display the query string values. The label fields on the form remain blank.

Shahed Kazi said...

Please clarify what does not work.

Reference: Shahed Kazi at AspNetify.com