How can I safely handle POST parameters in an HTTP Handler using C#?

Question

I'm working on an ASP.Net C# application (my first!) that contains an HTTP Handler within it. My application works with several parameters that are passed in via the URL. My question(s) is as follows:

My applications entry point is via the HTTP Handler. When I enter my ProcessRequest method, I am assigning the values of the URL parameters to variables so that I may do something with the data. Question: Is this safe, even if I am not setting the value to anything when I call the URL?

In my example: I call host/handler1.ashx instead of host/handler1.ashx?something=foo

public void ProcessRequest(HttpContext context)
    {
        context.Response.ContentType = "text/plain";

        string something = context.Request["something"];

        context.Response.Write("Hello World: " + something);
    }

When calling the above method using the plain URL with no parameters, it executes just fine, but the string something is just blank/null.

Additional questions: What happens to the variable something in the case that I do not explicitly initialize it via the URL? I understand that it is null, but can this lead to problems?

Is it dangerous or not safe to call the plain URL (i.e. should I always call it with parameter values specified)?

What is the best way to call a "clean" ashx URL to start the application but not risk problems?

The application will do a series of subsequent GET redirects as it accumulates values and passes them back to the app via the query string. Should I do a POST or GET upon initial call of the application?

Sorry for asking the same question multiple ways, but I'm a bit confused on the topic and this is my first time writing an app like this. Any patience and advice you could provide on how to safely handle and initialize parameters is greatly appreciated!

Answer 1

There is nothing wrong with omitting parameters to an endpoint. As the developer you are in charge of enforcing what the client is allowed send to you. If you expect a parameter and it's missing, throw an error (e.g. HttpException).

If you are creating or updating data (i.e. inserting or updating records in a database) the best method would be a POST or PUT.

Edit - Here is an example of how you can handle the input:

public void ProcessRequest(HttpContext context) {
    //Maybe you require a value?
    if (string.IsNullOrEmpty(context.Request["something"])) {
        throw new HttpException(400, "You need to send a value!");
    }

    //Maybe you require a certain value?
    if (context.Request["something"] != "beerIsGood") {
        throw new HttpException(400, "You need to send the right value!");
    }
}

Answer 2

You can't. The Internet is dangerous.