Web application security issue after using QueryString and AJAX get

Question

I have written the following code for a room booking web application. However, as I am really new at this, I can't quite comprehend whether the code is "safe" or not.

So my questions is this: After I receive parameters from QueryString, could the following code be manipulated by a user, in for instance Google Chrome's Inspect Element, into a state where a student has uses someone else's credentials?

Please assume that I will receive the QueryString encrypted, and I'm assuming that I can decrypt it in the controller before loading up the view.

The view:

<script>
    var scheduler = $("#scheduler4").data("kendoScheduler");

    /* Get QueryString and search for student in external URL */
    $(document).ready(function () {

        var url = document.URL;

        var nameIndex = url.indexOf("name=");
        var name;

        var emailIndex = url.indexOf("email=");
        var email;


        if (emailIndex > -1 && staffIndex == -1) {

            name = url.substr((nameIndex + 5), emailIndex - (nameIndex + 5 + 1));

            email = url.substr((emailIndex + 6));
            email = email.substr(0, (email.length - 4)) + "@@email.com";

            /* Check student directory to see if this email exists */
            var url = '@Url.Action("CheckStudentDirectory", "Home")';
            // alert(email);
            var data = { name: name, email: email };

            $(".loading-overlay").show();
            $.get(url, data)
                .done(function (response, status, jqxhr) {

                        if (response.exists === true) {

                            $.ajax({
                                type: 'GET',
                                url: '@Url.Action("StudentScheduler", "Home")',
                                success: function (data) {
                                    $('#incomingscheduler').html(data);
                                    }
                                });
                        }
                .fail(function (jqxhr, status, errorThrown) {

                        /* problem with XML file at CheckDirectory */
                        alert("Something went wrong with authentication");
                .complete(function () {
                    $(".loading-overlay").hide();
                    });
                }
            });
</script>

<body>

    <!-- Scheduler-->
    <div id="incomingscheduler">
        <!-- Schedulers will be loaded in here -->
    </div>

</body>

Answer 1

do this at controller level.. like "

public ActionResult Test(string email,string name)
{
     //do your stuff
}

This action automatically take name and email from your query string but the query string parameter name and argument name of action should be same.

Answer 2

could the following code be manipulated by a user... into a state where a student has uses someone else's credentials?

Yes -- Any parameters sent to your application, via query string or form post, can be manipulated by a user. Encryption isn't protecting you from unauthorized access.

Always validate user input on the server. You need to verify on the server that an authenticated user really owns the name and email or any other sensitive resource.

Furthermore, encrypted query strings may still be logged in plain text.