0

I’m making a POST API call in C# using HttpWebRequest class. In the URL I do have password as query string. But the password has # in it which is getting truncated to vigne. Data after # are considered as Fragment which suppose not to happen, is there fix for it ? Password example: vigne#ash@Test URL = https://vigneashtesting.com/oauth/token?login_type=password&userid=vigneash&password=vigne#ash@Test;

screenshot

Vigneash Selvaraj
  • 57
  • 1
  • 5
  • 9
    Don't put the password in the query string to begin with. OAuth certainly doesn't require passwords in the query string. It's a POST request, so the password can easily be in the body. If you use basic authentication, the password goes into a header – Panagiotis Kanavos Feb 10 '23 at 09:03
  • 2
    `System.Web.HttpUtility.UrlEncode("vigne#ash")` produces `"vigne%23ash"`. But, like PK says, don't put passwords in the URL. And, if you have to, then encrypt them properly. – Enigmativity Feb 10 '23 at 09:10
  • It is worth noting, however, that putting it in the query string is not less secure as long as HTTPS is used, as the entire request is encrypted before transmission. It *is* less secure in that it's easier for it to be inadvertently revealed on the client side (for example, in an address bar), and that an accidental fallback to HTTP might result in things ending up in logs, but in a purely server to server environment it's not the disaster that it might seem. – Jeroen Mostert Feb 10 '23 at 09:16
  • @Enigmativity It is better to use `Uri.EscapeDataString` instead: https://stackoverflow.com/a/47877559/5762332 – Magnetron Feb 10 '23 at 11:05

1 Answers1

0

You should never include passwords (or any other confidential) information in query strings because they are displayed in the browser.

If you want to include special characters in a query string then you need to use encodings. You can find the encodings here: https://www.w3schools.com/tags/ref_urlencode.asp.

You can also use Uri.EscapeDataString or System.Web.HttpUtility.UrlEncode to encode special characters. See the following answer for the differences between the two: https://stackoverflow.com/a/47877559/19214431.

YungDeiza
  • 3,128
  • 1
  • 7
  • 32