Part 1: SharePoint : Think before You Pass Your Parameters in Query String Format

Introduction to Problem

Consider a case where you need to pass some user information as a query string parameter in URL which will be assessed in other page and used there to execute some code. Will you pass it straight away? What if user changes those parameter to some other value like Location=India to Location=Norway? That will give access to page which he should not get or will pass the wrong parameters to output page. This may result into issues in future; so basically user should not able to change this information in URL.

Best approach to get rid of this issue is to encrypt values and then decrypt. While passing the parameters in URL you should encrypt by using Encryption Key and then use the same key to decrypt those values at destination end.

Solution

Consider a case where you are passing parameters as: http://{YourSharePointSiteURL}/Sites/TestSite/Pages/TestPage.aspx?Location=India&User=SharePointUser so ideally you should encrypt these two parameters like India and SharePointUser before sending it to other end.

Please find below is the helper method to encrypt parameters:

  1. using System.Security.Cryptography;  
  2.   
  3. /// <summary>    
  4. /// method to encrypt the string    
  5. /// </summary>    
  6. /// <param name="clearText">simple string to encrypt</param>    
  7. /// <returns>encrypted string</returns>    
  8. public static string Encrypt(string clearText)    
  9. {    
  10.     string EncryptionKey = "MAKV2SPBNI99212";    
  11.     byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);    
  12.     using (Aes encryptor = Aes.Create())    
  13.     {    
  14.         Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });    
  15.         encryptor.Key = pdb.GetBytes(32);    
  16.         encryptor.IV = pdb.GetBytes(16);    
  17.         using (MemoryStream oMemoryStream = new MemoryStream())    
  18.         {    
  19.             using (CryptoStream oCryptoStream = new CryptoStream(oMemoryStream, encryptor.CreateEncryptor(), CryptoStreamMode.Write))    
  20.             {    
  21.                 oCryptoStream.Write(clearBytes, 0, clearBytes.Length);    
  22.                 oCryptoStream.Close();    
  23.             }    
  24.             clearText = Convert.ToBase64String(oMemoryStream.ToArray());    
  25.         }    
  26.     }    
  27.     return clearText;    
  28. }  
Here is how you will be calling this method:
  1. string Location = "SharepointUserLocation";    
  2. string LoggedInUser = "SharepointUser";    
  3.    
  4. string EncryptedLocation = Encrypt(HttpUtility.UrlEncode(Location .Trim()));    
  5. string EncryptedLoggedInUser = Encrypt(HttpUtility.UrlEncode(LoggedInUser.Trim()));    
  6.                 
  7. string Encrypted =  string.Format("~/page.aspx?Location={0}&LoggedInUser={1}", EncryptedLocation , EncryptedLoggedInUser);    
Happy SharePointing!!!