Chapter 4. Using Query Strings, Form Fields, Events, and Browser Information

Input arrives into your Web application from various sources. Chapter 3 discussed how you should treat input, how input should be considered untrustworthy by default, how you can validate it, and how you can output it safely. This chapter introduces some of ways input can arrive, the vulnerabilities each of these vectors are susceptible to, and how you can mitigate against them.

In this chapter, you will learn about the following:

  • How to pass input via query strings

  • How to use hidden form fields

  • How forms can be hijacked

  • How the ASP.NET event model works

  • How to avoid common mistakes with browser information


HTTP allows input into your application in the following four ways:

  • The query string

  • Form fields

  • HTTP headers

  • Cookies

The base class for ASP.NET pages, Page, contains a property, Request of type HttpRequest. When your Page class is created by ASP.NET, you have access to the Request property. It is initialized and contains the various inputs sent as part of the page request, as well as other information provided by the ASP.NET run-time (such as the identity of the user, whether the page has been requested over SSL, and so on). The Page class also contains a Response property that allows you to manipulate the response being sent when your page has finished processing.


A query string is the part of a URL that contains data to be passed to a Web application as part of a request. ...

Get Beginning ASP.NET Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.