Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Alternative to QueryString

Posted on 2009-04-09
Medium Priority
Last Modified: 2013-11-26
I'm building a web store.  When a visitor clicks on a product category link, such as "Furniture" or "Clothing", I would pass the a variable that represented their selection via a querystring.  This variable would be used in my SQL code to retrive the products from my database and load them onto the page.

Is there a better more secure way of doing this?  Any suggestions would be appriciated.  Thanks!
Question by:cdemott33
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1

Expert Comment

by:Sreedhar Vengala
ID: 24111569
LVL 37

Expert Comment

ID: 24111573
Well, you could use a session...but I would continue using the querystring.
It would let your users bookmark a link directly to a
I've got tons of links to different ebay, amazon, and carmax searches and products that wouldn't work if they didn't use querystrings!

If your concern is security...just make sure you pass the querystring to your SQL with a parameter and/or to a stored procedure and I don't think you need to be overly concerned about security...
Alternately, you could implement some basic encryption on your querystring variables if you're really concerned...but..again...I don't think you need to be...

Expert Comment

by:Sreedhar Vengala
ID: 24111610
Amazon Web Services EC2 Cheat Sheet

AWS EC2 is a core part of AWS’s cloud platform, allowing users to spin up virtual machines for a variety of tasks; however, EC2’s offerings can be overwhelming. Learn the basics with our new AWS cheat sheet – this time on EC2!


Expert Comment

ID: 24113335
The most important thing here is why do u want to secure the querystring. If you dont want you users to able to see categoryid actually used, you can use some function on your app to encrypt and decrypt the category id so that the acutall id will be hidden from the users point of view.



Author Comment

ID: 24115127
I guess my main concern is that the querystring value, such as...

products.aspx?category=furntiure used in my sql statement.  So on button click I assign the value of the querystring to a string variable that's pumped into my SELECT statement.  (ie SELECT * FROM catalog WHERE productTpye = ** my request.querystring value** )

I've been told to use sql parameters to help with sql injection attackes but do you all believe that secure enough?

LVL 37

Accepted Solution

samtran0331 earned 2000 total points
ID: 24115496
>>I've been told to use sql parameters to help with sql injection attackes but do you all believe that secure enough?

Sql injections works by trying to concatentate additional sql statements into yours...if you use parameters, the concatenation fails because it is a parameter to your can't be bypassed by the injection.

Author Closing Comment

ID: 31568747
Thanks for all your help!

Featured Post

How To Reduce Deployment Times With Pre-Baked AMIs

Even if we can't include all the files in the base image, we can sometimes include some of the larger files that we would otherwise have to download, and we can also sometimes remove the most time-consuming steps. This can help a lot with reducing deployment times.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question