5

I know that the maximum length of a querystring varies by browser. Internet Explorer can have a maximum of 2048 characters.

If I perform a URLEncode in my code, will those encoded characters be taken as extra characters?

For example, suppose I have two textboxes. Before passing the values of the textboxes through the querystring, I perform HttpUtility.UrlEncode(TextBox2.Text) and then I pass those textbox values to another webpage through the querystring.

Suppose the URL may look like this: WebForm2.aspx?Username=Kutti&Password=Pa%26%26word.

Will that encoded thing, %26%26 has been taken as extra characters in the URL?

In other words, will it take Pa%26%26word as same characters in Pa&&word?

Kutti080808
  • 211
  • 1
  • 5
  • 10
  • 2
    http://classicasp.aspfaq.com/forms/what-is-the-limit-on-querystring/get/url-parameters.html – Steve Dec 06 '13 at 15:29
  • If you are passing large strings from page to page, you may want to look at using [Session Variables](http://msdn.microsoft.com/en-us/library/ms178581.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1). It keeps the values hidden (better for security), and keeps the address bar tidy (better for user). – Nunners Dec 06 '13 at 15:32
  • 3
    Or better yet, post them in a form field. – JohnFx Dec 06 '13 at 15:32
  • I think it counts the extra encoded characters, but that's just a gut feeling. The best thing to do is to test this with a querystring with unencoded characters, right on the limit of the length, then try the same again but encoded. – Darko Dec 06 '13 at 15:33
  • 1
    What are you asking exactly? Extra characters are extra chacters and they count against the browser's limit. The only reason to ask whether ASP.NET has a limit in this case is if you try to do a Server.Transfer – Panagiotis Kanavos Dec 06 '13 at 15:34
  • @Steve Thank you very much dude. This is what i was searching for. – Kutti080808 Dec 06 '13 at 15:47
  • @Kutti080808 its a bad idea to put a password in the query string. – Daniel A. White Dec 06 '13 at 15:52
  • seems bad practice. perhaps explain why you want to know this and what you are doing. – JP Hellemons Dec 06 '13 at 15:54

1 Answers1

1

Yes, each character will be counted, even if it is arise due to encoding.

A suggestion for good code and security. Always try to limit your password till login page. Check the user's credentials and move on with some session variable for page to page authentication and authorization. Never pass password in the url, I would not even pass by userId.

rink.attendant.6
  • 44,500
  • 61
  • 101
  • 156
Shreyash Maheshwari
  • 21
  • 3