Decoding Encrypted Query string

Question

I am using the method described in the following LINK and I am using the following code to encrypt:

'Page1.aspx    
Protected Sub butEncrypt_Click(sender As Object, e As EventArgs) Handles butEncrypt.Click
    Dim QueryString As String = "type=Int&pk=" & _primaryKey
    QueryString = Tools.encryptQueryString(QueryString)
    Response.Redirect(/SearchResults.aspx?Val=" & QueryString)
End Sub

and then finally de-encrypt:

        'SearchResults.aspx
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    If (Not IsPostBack) Then
         If Not String.IsNullOrEmpty(HttpContext.Current.Request(CIAppGlobals.GlobalVar.Val)) Then
            Dim qs As String = Request.QueryString(CIAppGlobals.GlobalVar.Val)
            qs = Tools.decryptQueryString(qs)

            Dim Values As String() = qs.Split(CChar("&"))

            _imageType = String.Empty
            _primaryKey = 0

            For Each value As String In Values
               Dim data As String() = value.Split(CChar("="))

               Select Case data(0).ToUpper
                  Case "TYPE"
                     _imageType = data(1)
                  Case "PK"
                     _primaryKey = CInt(data(1))
               End Select
            Next
            Else
               _imageType = HttpContext.Current.Request("type")
               _primaryKey = CInt(HttpContext.Current.Request("pk"))
         End If
    End If
   End Sub

My question is should I being using a different method to extract the decoded query string values other than what I am doing? Thanks in advance for your constructive responses.

Solution

After looking at Darin's response I have decided to incorporate it into my project, here is my updated code:

'Page1.aspx    
Protected Sub butEncrypt_Click(sender As Object, e As EventArgs) Handles butEncrypt.Click
  Dim query = HttpUtility.ParseQueryString(String.Empty)
  query("type") = "Int"
  query("pk") = CStr(_primaryKey)

  Dim QueryString As String = Tools.encryptQueryString(query.ToString())
  Response.Redirect(/SearchResults.aspx?Val=" & QueryString)
End Sub

I still want to encrypt the query string because I want to prevent users from changing the Query String Values manually

Answer 1

You are incorrectly building the query string in the first place. You are using string concatenations and not properly encoding them. What if _primaryKey contains a & or = characters? You could use the ParseQueryString method to properly build a query string:

Dim query = HttpUtility.ParseQueryString(String.Empty)
query("type") = "Int"
query("pk") = _primaryKey
Dim queryString = query.ToString()

The same method could be used for parsing the decoded query string:

Dim values = HttpUtility.ParseQueryString(qs)
Dim type = query("type")
Dim primaryKey = query("pk")
' work with the type and primaryKey values

Never use string concatenations and splitting when dealing with urls. Always use the right tool for the right job.

That's as far as creating/parsing query strings is concerned. As far as encrypting/decryption the values is concerned, you haven't shown/told us anything about the Tools class that you are using so I cannot provide you with any constructive comments about it.

You know that the best encryption is to never send the actual value to the client. So you could store it in some backend storage on the server and then use an unique id in the url. This id could be used on the target page to fetch the original value. This way you don't need to be encrypting/decrypting anything.