Error thrown when any character is appended to the advanced search results query string

Advanced search results in the public store are passed as a get request and the query string is displayed in the browser.

Search engine crawlers use this query string and append a forward slash at the end.  This in turn generates an error and is then stored in the log.

Example from demo site:

http://demo.nopcommerce.com/search?q=test1&adv=true&adv=false&cid=0&isc=false&mid=0&pf=&pt=&sid=false/

We discovered this because today we had 946 errors in the log related to this.
This example contains a forward slash, but any character appended at the end will cause the error.  
This happens because "false/" does not convert to a Boolean for the "sid" parameter and will generate this error: The parameter conversion from type 'System.String' to type 'System.Boolean' failed.

We need better input validation for the sid parameter to prevent these errors.
Without the fix, the best case scenario is a nuisance and allot of garbage in the log, the worst case scenario is a search engine penalty or a security risk.

Another thing we noticed that appears very strange in the query string is:

adv=true&adv=false

.  I'm not sure why we have the 2nd, but opposite, parameter for "adv" but I don't believe it is needed.

Sizzler wrote:
Hmm. Search engine can append slash to URLs without query string. But they should not do it for query strings. Otherwise, most of URLs will be broken (it's not just about nopCommerce). For example, if we had only one query string indicating a search term (demo), then it would not be possible to distinguish what a user is searching for ("test" or "test/")

Sizzler wrote:
It's a known "issue" but in ASP.NET (not in nopCommerce). Please see the following forum topic for more info - https://www.nopcommerce.com/boards/t/31257/search-query-string-doubled-parameter.aspx

Thank you for the quick response to the post.

a.m. wrote:
I think I may not have been clear enough in my first post here.  I was referring only to the query string variables that must be converted to a Boolean.  The string must be "true" or "false", anything else will get a "conversion from type 'System.String' to type 'System.Boolean' failed" error.  If the conversion fails, it should be handled (i.e. using a default value).  In our example it was the "sid" value that failed to convert to a bool, since "false/" will not convert to a bool.

a.m. wrote:
I agree they should not be doing it for query strings, but right now I am looking at 900+ error message being added every day to the error log, so we can't just ignore it.

Here is what all of these error messages have in common, with the "q" param being different, the rest will all be the same:

Customer:  builtin@search_engine_record.com  
URL:  http://[domain name]/filtersearch?q=leer%20truck%20cap%20door%20replacement%20struts&adv=false&cid=0&isc=false&mid=0&pf=&pt=&sid=false/

It seems odd that a search engine would know how to use the 'Advanced search' dialog.  Is it possible there is a bug in your faceted search feature?  This might interest you