Plus signs in query strings

M

MattB

I'm tightening security on my application by encrypting query strings so
someone can't try and guess other valid query string values. This was
working well, but I noticed it wasn't working in some cases today. Looking a
little deeper, it seems that when encrypted one value had a + in it. When
this was picked up at the receiving page, I see the + turns into a space,
which then throws off the decryption.

Is a + an illegal character for a query string? If so, is the plus the only
character I can count on being converted to a space? It won't be hard to
look for any spaces and change them into + in the codebehind, but I only
want to do that if that's the only character that becomes a space.

Anyone got a good link to describe this in detail (what characters are
allowed and what happens to illegal ones)?

Thanks!
Matt
 
M

mikeb

MattB said:
I'm tightening security on my application by encrypting query strings so
someone can't try and guess other valid query string values. This was
working well, but I noticed it wasn't working in some cases today. Looking a
little deeper, it seems that when encrypted one value had a + in it. When
this was picked up at the receiving page, I see the + turns into a space,
which then throws off the decryption.

Is a + an illegal character for a query string? If so, is the plus the only
character I can count on being converted to a space? It won't be hard to
look for any spaces and change them into + in the codebehind, but I only
want to do that if that's the only character that becomes a space.

Anyone got a good link to describe this in detail (what characters are
allowed and what happens to illegal ones)?
Click to expand...

Characters in a URL are expected to be URL Encoded to be passed through
safely. Since spaces are not safe characters in a URL, they are encoded
- some systems encode a space using "%20", some systems encode a space
using '+'.

What's happening is the the ASP.NET method you're using to grab the
query parameters is automatically URLDecoding the parameter for you - so
it's decoding the '+' as a space.

The fix is for your code that issues the query parameters to perform a
URLEncode() on it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Query Strings and SiteMapPath 0
Converting an Array to a String in JavaScript 7
Why does spacing matter in this context? 0
Encrypting query strings 2
Comparing strings from the back? 91
UTF-8 and strings 44
python3 raw strings and \u escapes 10
Null character and JavaScript strings 16

Members online

Total: 21 (members: 1, guests: 20)
Robots: 346

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,015
Latest member
AmbrosePal

Latest Threads

Top