Search code examples
c#asp.net-mvcsearchquery-stringquerystringparameter

is there any way to hide a query string from showing in search and filter using asp.net MVC

I implement a basic sorting - filtration with sorting

the index code in controller 

 public ViewResult Index(string sortOrder, string currentFilter, string searchString, int? page)
        {
            ViewBag.CurrentSort = sortOrder;
            ViewBag.NameSortParm = String.IsNullOrEmpty(sortOrder) ? "name_desc" : "";
            ViewBag.DateSortParm = sortOrder == "Date" ? "date_desc" : "Date";

            if (searchString != null)
            {
                page = 1;
            }
            else
            {
                searchString = currentFilter;
            }

            ViewBag.CurrentFilter = searchString;

            var students = from s in db.Students
                           select s;
            if (!String.IsNullOrEmpty(searchString))
            {
                students = students.Where(s => s.LastName.Contains(searchString)
                                       || s.FirstMidName.Contains(searchString));
            }
            switch (sortOrder)
            {
                case "name_desc":
                    students = students.OrderByDescending(s => s.LastName);
                    break;
                case "Date":
                    students = students.OrderBy(s => s.EnrollmentDate);
                    break;
                case "date_desc":
                    students = students.OrderByDescending(s => s.EnrollmentDate);
                    break;
                default:  // Name ascending 
                    students = students.OrderBy(s => s.LastName);
                    break;
            }

            int pageSize = 3;
            int pageNumber = (page ?? 1);
            return View(students.ToPagedList(pageNumber, pageSize));
        }

the code worked well enter image description here

enter image description here

what I'm asking about is there any way to implement the same code without showing the query parameter to end user as shown in images.

is it available to hide this parameter using something like view model - form collection or using route based - and is there any issues related to security with this way of work with query string or not - note that this example is a just a demo to what i want to do using contoso university (Microsoft demo) and for sure in this context i doesn't need to hide a query string but in another context ( using ado.net stored procedure ) can show some database architecture –

Solution
    1. Not every query string causes security breaches. You have to define what are the sensitive data which should not be shown on the query string.
    2. If you want to hide that you need to use "POST" instead of "GET". However, with package sniffing tools like Fiddler or browsers' debugging tools, the query parameters are still discoverable.
    3. Beware of SQL injection if you simply construct SQL statement in the code. For example, someone might pass "; drop table xx;" as a query string.
    4. Query string can be encrypted - https://www.aspsnippets.com/Articles/Encrypt-and-Decrypt-QueryString-Parameter-Values-in-ASPNet-using-C-and-VBNet.aspx