QueryString Parameter Doubling
Posted on 2002-07-04
Our (internally developed) Client Management System(CMS) utilises a number of state maintenance techniques. The main techniques used are:- storing information in a database; Hidden form variables; and QueryString variables. Session variables are also used on a smaller scale for our shopping cart. In most cases, the information in these QueryStrings, Hidden form variables and Session variables are retrieved in the ASP page and used in SQL queries.
In recent weeks we have been experiencing problems with CMS
Upon investigation of the Web Server logs, we noticed that the Querystrings attached to the URL's of various ASP pages in CMS have been repeated eg.
1. cms/ClientModfy.asp?hidClientID=223 hidClientID=223
2. cms/OrderEntry.asp?hidClientID=223&hidProductID=15 hidClientID=223&hidProductID=15
When this doubling up occurs there always seems to be a space placed after the QueryString parameters and then a repeat of the QueryString.
When these QueryString values are requested in the ASP page, the values that are retrieved is not what is expected:
Eg. Example 1 above -
Request.QueryString("hidClientID") will return 223 hidClientID=223
Example 2 above -
Request.QueryString("hidClientID") will return 223
Request.QueryString("hidProductID") will return 15 hidClientID=223, 15
Needless to say, this results in incorrect datatypes being used in the SQL Query which then results in the Web Server CPU maxing out.
Once we became aware of what was happening, we automatically assumed we had made errors in the construction of the URL and QueryString in some of our ASP pages. However, after going through all the pages with a fine tooth comb, we have not been able to find any errors in the construction of URL QueryStrings.
After a number of weeks investigation, this QueryString doubling occurs a number of times a day and seems to be completely random with no discernible pattern to the occurrences. An ASP page will be accessed without a problem ie no doubling, then a minute later the same page will be accessed and the QueryString doubling will occur which causes the CPU to max out on the Web Server. Once the CPU comes back to normal and the same page is then accessed, it is processed without any problems.
We have now resorted to band-aid measures and incorporated code to exit the user to the home page when this QueryString doubling occurs. This however does not solve our problem in the long term.
Any advice or direction would be appreciated.