ASP. net c # transmit data through URL encryption and decryption

Requirement

Use an HTML template to send an email. The email contains a link. Click the link to open the browser and complete the corresponding function.

Analysis

The link uses http: // www. ******. com? Id = 123456 & name = the form of a connection string after a URL such as Nicolas.

Problem

The string following the question mark is in plain text. It cannot transmit sensitive data and is prone to tampering.

Solution

Encrypt the string following the question mark and decrypt it when necessary.

You can use an HTML template to send emails. In the previous blog, "Asp.net uses an HTML template to send emails.

Encryption and decryption module

Public static class decryption {Private Static byte [] Key = {0x21, 0x43, 0x65, 0x87, 0x09, 0xba, 0xdc, 0xfe }; private Static byte [] IV = {0x12, 0x34, 0x56, 0x78, 0x90, 0xab, 0xcd, 0xef }; /// <summary> /// encryption processing /// </Summary> /// <Param name = "input"> </param> /// <returns> </returns> Public static string encrypt (string input) {try {descryptoserviceprovider des = new descryptoserviceprovider (); Byte [] inputbytearray = encoding. utf8.getbytes (input); memorystream MS = new memorystream (); cryptostream cs = new cryptostream (MS, Des. createencryptor (Key, IV), cryptostreammode. write); CS. write (inputbytearray, 0, inputbytearray. length); CS. flushfinalblock (); Return convert. tobase64string (Ms. toarray ();} catch (exception ex) {return "";}} /// <summary> /// decryption // </Summary> /// <Param name = "Input"> </param> // <returns> </returns> Public static string decrypt (string input) {If (! String. isnullorempty (input) {input = input. replace ("", "+"); byte [] inputbytearray = new byte [input. length]; try {descryptoserviceprovider des = new descryptoserviceprovider (); inputbytearray = convert. frombase64string (input); memorystream MS = new memorystream (); cryptostream cs = new cryptostream (MS, Des. createdecryptor (Key, IV), cryptostreammode. write); CS. write (inputbytearray, 0, inputbytearray. length); CS. flushfinalblock (); encoding = encoding. utf8; return encoding. getstring (Ms. toarray ();} catch (exception ex) {return "" ;}} else {return "";}}}

Note that the space in the space should be replaced with the plus sign during decryption. Encryption

/// <Summary> /// Replace the string in the email /// </Summary> /// <returns> </returns> Public static string getemailstr (string URL, string username, string s_key) {// s_key is a randomly generated string STR = username + "," + s_key; Return "<a href = \" "+ URL + "? "+ Decryption. Encrypt (STR) +" \ "> </a> ";}

For security consideration, the s_key string is added, which is a random string and is saved to the database in advance. Decryption

Try {Param = request. URL. query; Param = Param. substring (1, Param. length-1);} catch (exception) {response. write ("<SCRIPT> alert (\" error \ ") </SCRIPT>"); return;} // decrypt // Param = "username, s_key" Param = decryption. decrypt (PARAM); string [] STR = Param. split (','); // separate if (Str. length = 2) {username = STR [0]; s_key = STR [1]; // check whether it contains any invalid character if (Common. regxurl (username) & Common. regxurl (s_key) {// The database verifies whether username and s_key correspond to If (Common. validatekey (username, s_key) {// do something }}}

The request. url. query obtains the question mark and the string following the question mark. Therefore, you must remove the question mark before decryption. Do not forget to check whether the obtained parameters contain invalid characters before performing database operations to prevent SQL injection attacks. Some time ago, many SQL Injection Vulnerabilities were reported on the train ticket website 12306.
The end