Gil Fink, Microsoft MVP, is an expert in Web development and Microsoft data platform. He works as a senior architect at Sela Group. He is currently consulting for various enterprises and companies, where he architects and develops Web and RIA-based solutions. He conducts lectures and workshops for developers and enterprises who want to specialize in infrastructure and Web development. He is also a co-author of several Microsoft Official Courses and training kits. You can read his publications at his blog: Gil is a DZone MVB and is not an employee of DZone and has posted 151 posts at DZone. You can read more from them at their website. View Full User Profile

ASP.NET - Query Strings - Client Side State Management

  • submit to reddit

Continuing the tour in the ASP.NET client side state management our current stop is the query string technique. You can read my previous posts in the state management subject in the following links:

What are Query Strings?

Query strings are data that is appended to the end of a page URL. They are commonly used to hold data like page numbers or search terms or other data that isn't confidential. Unlike ViewState and hidden fields, the
user can see the values which the query string holds without using special operations like View Source.
An example of a query string can look like;b=2. Query strings are included in bookmarks and in URLs that you pass in an e-mail. They are the only way to save a page state when copying and pasting a URL.

The Query String Structure

As written earlier, query strings are appended to the end of a URL. First a question mark is appended to the URL's end and then every parameter that we want to hold in the query string. The parameters declare the parameter name followed by = symbol which followed by the data to hold. Every parameter is separated with the ampersand symbol.
You should always use the HttpUtility.UrlEncode method on the data itself before appending it.

Query String Limitations

You can use query string technique when passing from one page to another but that is all. If the first page need to pass non secure data to the other page it can build a URL with a query string and then redirect. You should always keep in mind that a query string isn't secure and therefore always validate the data you received. There are a few browser limitation when using query strings. For example, there are browsers that impose a length limitation
on the query string. Another limitation is that query strings are passed only in HTTP GET command.

How To Use Query Strings

When you need to use a query string data you do it in the following way:

string queryStringData = Request.QueryString["data"];

In the example I extract a data query string. The structure of the URL can look like url?data=somthing. After getting to data parameter  value you should validate it in order not to enable security breaches. The next example is a code to help inject a query string into a URL:

public string BuildQueryString(string url, NameValueCollection parameters)
StringBuilder sb = new StringBuilder(url);
IEnumerator enumerator = parameters.GetEnumerator();

while (enumerator.MoveNext())
// get the current query parameter
string key = enumerator.Current.ToString();

// insert the parameter into the url
sb.Append(string.Format("{0}={1}&", key, HttpUtility.UrlEncode(parameters[key])));


// remove the last ampersand
sb.Remove(sb.Length - 1, 1);
return sb.ToString();


To sum up the post, query string is another ASP.NET client side state management technique. It is most helpful for page number state or search terms. The technique isn't secured so avoid using it with confidential data. In the next post in this series I'll explain the how to use cookies.

Published at DZone with permission of Gil Fink, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)


Ajya Chang replied on Mon, 2012/02/20 - 6:28am



Thanks for providing such valuable information on query stirngs. It will help a lo to the beginners. As lot of basics are covered here. Here can you give more information on how to secure our querystring parameters. Some thing like encrypting the URL.


I will look forward to listen from you on this. Once againg thanks.

Carla Brian replied on Fri, 2012/03/30 - 5:48pm

It is easy to use and No extra effort is needed to code. But all the attributes and values are visible to the end user. Therefore, they are not secure. - Instant Tax Solutions Scam

Gym Prathap replied on Wed, 2013/07/17 - 6:16am

To get all the query string key value pairs, you can use the below method

public NameValueCollection QueryString { get; }

ASP.NET Training in Chennai 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.