1

Is there a legitimate performance reason for using Request.Querystring("key") over Request("key") for accessing QueryString values?

Request.Item("key") (which I believe is the equivalent of Request("key")) pulls from the following data sources:

  • QueryString
  • Form
  • Cookies
  • ServerVariables

This suggests to me that Request.QueryString("key") will have better performance, but I see enough people using Request("key") that I've started to wonder. Clearly Request("key") obfuscates the data source, but the context if my question is performance.

Community
  • 1
  • 1
Brian Webster
  • 30,033
  • 48
  • 152
  • 225
  • I'm guessing the performance hit is minimal if they allow it and probably not something to fret over. Biggest problem you would probably see is if the same Key exists in multiple areas. I don't know off hand which order it checks in and MSDN doesn't seem to say. – Doozer Blake Oct 10 '11 at 15:55
  • 3
    If there's a performance difference, it will definitely be very, very, very, small. However, using `Request` is a possible security hole because you may be getting data from an unexpected source, and that's the only reason I would avoid it. – mellamokb Oct 10 '11 at 15:55
  • Not sure about performance, but from a security point of view, it makes sense to specify the _source_ of the key (QueryString, Form etc.), else users could pass a variable in a way you weren't expecting, for example specifying a value in the QuerySting that you assumed would only be present in a cookie. – Widor Oct 10 '11 at 15:57
  • @Widor: Granted, you should be assuming that any data coming from the user is untrusted and should be verified, no matter what source it is. Every user-specified source can and will be spoofed. – mellamokb Oct 10 '11 at 18:02

3 Answers3

3

If there's a performance difference, it will definitely be very, very, very, small. However, using Request is a possible security hole because you may be getting data from an unexpected source, and that's the only reason I would avoid it.

mellamokb
  • 56,094
  • 12
  • 110
  • 136
  • In the absence of an answer that answers the specific question, I will mark this as accepted, because it shows that there is indeed a valid security reason (unexpected source) to never use this feature – Brian Webster Oct 10 '11 at 18:12
0

I would imagine there would as you say be a small performance benefit from directly accessing .QueryString as opposed to checking all the possible stores for data. Although how much would probably depend on what order they are searched and if the first match is returned, or if the check continues irrespective of matches.

Also possibly more secure (slightly) if only checking one location for values, rather than allowing anything from the user to be accepted.

dougajmcdonald
  • 19,231
  • 12
  • 56
  • 89
0

Best suggestion I can offer is to benchmark it.

But from a common sense perspective, I would expect Request.QueryString("key") to be faster.

Consider a real world alternative. If you are trying to track down a word, and someone hands you two dictionaries, saying "It might be in this one or it might be in this one", is that going to be faster than them giving them one dictionary and saying "yep, definitely in this one. Just look here"?

Paul Alan Taylor
  • 10,474
  • 1
  • 26
  • 42