When you're writing code in an asp.net page (or any other type of page) you often come across situations where you need to know what to do should the user tamper with the query string parameters.

I won't go into security issues here like sql injection attack or how you shouldn't pass credit card numbers on the query string--I'm assuming that you have that covered.  I'm talking about a much more contraversial subject: what to do if a query string parameter IS JUST PLAIN MISSING.  For example, say you are expecting a url like the following:

http://localhost/ViewArticle.aspx?articleID=347

but you only get this:

http://localhost/ViewArticle.aspx

Some developers advocate showing a friendly message.  Others think you should redirect back to a listing page, which in this case, would be something like /ListAllArticles.aspx.  Some suggest swallowing any exception that might arise.

I say go ahead and THROW THE ERROR.  I know that sounds counter-intuitive, but hear me out.  If you have a high traffic site, Inevitably you will get some small minority of users, probably geeks like us that will tamper with the address bar and attempt to put in weird things in the query string.  And you should definitely check to make sure they aren't putting in anything that would corrupt data or compromise security.  But chances are, most users are just going to click the links and leave it at that.  So if you're missing a parameter, its probably because YOU the developer did something wrong, and YOU need to know about it.

What I do instead is setup site-wide error handling, usually with ELMAH (which Andrew wrote about here.)  Then if i get an error, i get emailed.  This way, I know if one of my pages is linked incorrectly, and is missing that query string parameter.   Then i can fix it.  If i just ignore missing parameters, I won't realize my users aren't seeing the right content.

Case in point, I kept getting errors on a production website because the page that was used to display an image gallery was missing the "GalleryID" parameter.  I kept getting error, after error nagging me.  I finally looked into it, and it was because i had configured IIS to redirect and older domain to the site's new domain.  The problem was Google and other search engines had already indexed using the old domain and they were pointing to particular image galleries with URLs like this:

http://www.OldDomain.com/View-Gallery.aspx?galleryID=234

However, when i got the email, it showed the query string parameters WERE COMPLETELY GONE.  I looked at the referrer and saw that they were coming from google, yahoo, etc.  With a little help from Fiddler (an HTTP listener) i found out that the way i was redirecting the traffic in IIS was actually removing the query string parameters entirely, so the users were getting redirected to a url like this:

http://www.newdomain.com/View-Gallery.aspx

No parameters.  There's an easy fix in IIS.  Check out Permanent Redirects with Query String

(Incidentally a "Permanent 301 Redirect" lets google rank you higher than if simply point all domains to the same website.)

If my site had not been logging error messages when the query string parameters were missing, I would never have known my users were being redirected to the wrong place.  

So don't hide errors due to missing query string parameters.  This is almost like swallowing exceptions in my book.  Your page is like an object or method (in asp.net pages ARE objects!) so if its missing required parameters, it should throw an error.

Read the complete post at http://dotnettricks.com/blogs/craigbowesblog/archive/2007/12/06/697.aspx