[mschuster91]

When I pass around any parameters in GET or POST parameters I wrap them in base64. That makes a lot of escaping bugs go away (and adds a bit of "security by obscurity", as well as true security when combining the query with a random number, a sha256 hash of the parameters and a serverside secret).

[woah]

Sounds like some pretty crappy hand rolled security to me. Don't ever think of something as secure unless it actually is a secure protocol. You are wasting your time and your code is probably exploitable.

[rpearl]

We're getting pretty far off-topic here, but please note that "a sha256 hash of the parameters and a serverside secret" is insufficient for authentication: http://en.wikipedia.org/wiki/Hash-based_message_authenticati...

[Someone1234]

Not that this matters to your overall point, but base64 isn't actually a valid format to use in a parameter as a base64 string can legally contain: '+', '/' and '=' which would be interpreted and corrupt the data.

In the .Net world you'll want to use something like HttpServerUtility.UrlTokenEncode()/UrlTokenDecode() since it gives you a base64-like string with '+', '/' and '=' replaced or removed.

[kej]

You can use base 64 with a URL-safe alphabet, as specified in RFC 4648: http://tools.ietf.org/html/rfc4648#page-7

[jmelloy]

I find those URLs massively ugly.