Share via


How to: Retrieve Query String Information in a ClickOnce Application

The query string is the portion of a URL beginning with a question mark (?) that contains arbitrary information in the form name=value. Suppose you have a ClickOnce application named WindowsApp1 that you host on servername, and you want to pass in a value for the variable username when the application launches. Your URL might look like this:

https://servername/WindowsApp1.application?username=joeuser

The following two procedures show how to use a ClickOnce application to obtain query string information.

The first procedure shows how to configure your ClickOnce application using MageUI.exe so that it can accept query string parameters.

NoteNote

See the "Security" section later in this topic before you make a decision to enable this feature.

The next procedure shows how your ClickOnce application can use a small piece of code to read these values the first time the application launches.

For information about how to create a ClickOnce deployment using Mage.exe or MageUI.exe, see Walkthrough: Deploying a ClickOnce Application Manually.

NoteNote

It is not possible to pass command-line arguments to a ClickOnce application. If you want to supply arguments to the application, you must deploy it over the Web and supply query string parameters in the URL.

To enable query string passing in a ClickOnce application with MageUI.exe

  1. Open the .NET Command Prompt and type:

    MageUI
    
  2. From the File menu, select Open, and open the deployment manifest for your ClickOnce application, which is the file ending in the .application extension.

  3. Select the Deployment Options panel in the left-hand navigation window, and select the check box labeled Allow URL parameters to be passed to application.

  4. From the File menu, select Save.

To obtain query string information from a ClickOnce application

  1. Place the following code somewhere in your project:

    Private Function GetQueryStringParameters() As NameValueCollection
        Dim NameValueTable As New NameValueCollection()
    
        If (ApplicationDeployment.IsNetworkDeployed) Then
            Dim QueryString As String = ApplicationDeployment.CurrentDeployment.ActivationUri.Query
            NameValueTable = HttpUtility.ParseQueryString(QueryString)
        End If
    
        GetQueryStringParameters = NameValueTable
    End Function
    
    private NameValueCollection GetQueryStringParameters()
    {
        NameValueCollection nameValueTable = new NameValueCollection();
    
        if (ApplicationDeployment.IsNetworkDeployed)
        {
            string queryString = ApplicationDeployment.CurrentDeployment.ActivationUri.Query;
            nameValueTable = HttpUtility.ParseQueryString(queryString);
        }
    
        return (nameValueTable);
    }
    
  2. Call the function defined previously to retrieve a Dictionary of the query string parameters, indexed by name.

Robust Programming

When you use query string parameters, you must give careful consideration to how your application is installed and activated. If your application is configured to install on the user's computer from the Web or from a network share, it is likely that the user will activate the application only once through the URL. After that, the user will usually activate your application using the shortcut in the Start menu. As a result, your application is guaranteed to receive query string arguments only once during its lifetime. If you choose to store these arguments on the user's machine for future use, you are responsible for storing them in a safe and secure manner.

If your application is online only, it will always be activated through a URL. Even in this case, however, your application must be written to function properly if the query string parameters are missing or corrupted.

Security

Allow passing URL parameters to your ClickOnce application only if you plan to cleanse the input of any malicious characters before using it. A string embedded with quotes, slashes, or semicolons, for example, might perform arbitrary data operations if used unfiltered in a SQL query against a database. For more information on query string security, see Script Exploits Overview.

See Also

Concepts

ClickOnce Deployment and Security