Request.QueryString[] vs. Request.Query.Get() vs. HttpUtility.ParseQueryString()
I searched SO and found similar questions, but none compared all three. That surprised me, so if someone knows of one, please point me to it.
There are a number of different ways to parse the query string of a request... the "correct" way (IMO) should handle null/missing values, but also decode parameter values as appropriate. Which of the following would be the best way to do both?
Method 1
string suffix = Request.QueryString.Get("suffix") ?? "DefaultSuffix";
Method2
string suffix = Request.QueryString["suffix"] ?? "DefaultSuffix";
Method 3
NameValueCollection params = HttpUtility.ParseQueryString(Request.RawUrl);
string suffix = params.Get("suffix") ?? "DefaultSuffix";
Method 4
NameValueCollection params = HttpUtility.ParseQueryString(Request.RawUrl);
string suffix = params["suffix"] ?? "DefaultSuffix";
Questions:
Would
Request.QueryString["suffix"]return a null if no suffix was specified? (Embarrassingly basic question, I know)Does
HttpUtility.ParseQueryString()provide any extra functionality over accessingRequest.QueryStringdirectly?The MSDN documentation lists this warning:
The ParseQueryString method uses query strings that might contain user input, which is a potential security threat. By default, ASP.NET Web pages validate that user input does not include script or HTML elements. For more information, see Script Exploits Overview.
But it's not clear to me if that meansParseQueryString()should be used to handle that, or is exposed to security flaws because of it... Which is it?ParseQueryString()uses UTF8 encoding by default... do all browsers encode the query string in UTF8 by default?ParseQueryString()will comma-separate values if more than one is specified... doesRequest.QueryString()do that as well, or what happens if it doesn't?Which of those methods would correctly decode "%2b" to be a "+"?
Showing my Windows development roots again... and I would be a much faster developer if I didn't wonder about these things so much... : P
Answer
Methods #1 and #2 are the same thing, really. (I think the .Get() method is provided for language compatibility.)
ParseQueryString returns you something that is the functional equivalent of Request.Querystring. You would usually use it when you have a raw URL and no other way to parse the query string parameters from it. Request.Querystring does that for you, so in this case, it's not needed.
You can't leave off
"suffix". You either have to pass a string or an index number. If you leave off the[]entirely, you get the wholeNameValueCollection. If you mean what if"suffix"was not one of the QueryString values then yes; you would getnullif you calledRequest.QueryString["suffix"].No. The most likely time you would use it is if you had an external URL and wanted to parse the query string parameters from it.
ParseQueryStringdoes not handle it... neither does pulling the values straight fromRequest.QueryString. For ASP.NET, you usually handle form values as the values of controls, and that is where ASP.NET usually 'handles' these things for you. In other words: DON'T TRUST USER INPUT Ever. No matter what framework is doing what ever for you.I have no clue (I think no). However, I think what you are reading is telling you that
ParseQueryStringis returning UTF-8 encoded text - regardless if it was so encoded when it came in.Again:
ParseQueryStringreturns basically the same thing you get fromRequest.QueryString. In fact, I thinkParseQueryStringis used internally to provideRequest.QueryString.They would produce the equivalent; they will all properly decode the values submitted. If you have URL:
http://site.com/page.aspx?id=%20Hellothen callRequest.QueryString["id"]the return value will be" Hello", because it automatically decodes.