Why is Request.QueryString readonly?

11.7k views Asked by At

I thought you couldn't change the QueryString on the server without a redirect.

But this code works* for me:

Request.QueryString edit

I'm so amazed.

So here are my questions regarding this:

  1. Why is Request.QueryString readonly?
  2. Why does this code/hack work*?
  3. How safe is it, if you change to readonly as soon as you are done editing, both regarding bad errors or unexpected behaviour, and regarding maintaining and understanding the code?
  4. Where in the event cycle would it make most sense to do this crazy edit if you are only using PageLoad and OnPageRender?

*More details:

I have a page with items that are grouped into tabs. Each tab is an asp:LinkButton

I want to be able to link directly to a specific tab. I do that with a QueryString parameter 'tab=tabName'. It works. But when I then click a new tab, the querystring is still in the Url, and thus the tab specified in the Querystring gets activated and not the one I clicked.

By using Request.QueryString edit this does not happen. Then my solution 'works'.

Thanks in advance.

2

There are 2 answers

2
Stilgar On BEST ANSWER

Well the QueryString property is readonly because it cannot be changed on a single request. Obviously the browser sends only one request with only one string so only one collection is created. The hack uses reflection (i.e. manipulates the code and the memory) to change stuff that you cannot change normally. This hack breaks the encapsulation and the design of the QueryString property. You should not use it. It makes no sense from design standpoint. Your query DOES NOT change so why change the object that represents it? Only the browser can send new query string so you are basically lying to your own code about what the browser sent.

If you want the tabs to use the URL just use Hyperlinks instead of LinkButton.

0
boolean On

From what I remember reading, this is a security standard that all browsers adhere to. It's main purpose is to stop phishing attacks, where someone could have the website www.MyLameWarcraftPhishingSite.com" and when someone hits the page, rewrite the url to look like www.blizzard.com. The only way to get to that url is to actually redirect to it.

mmm, last post was in Feb 11 - hope its ok to post in this.