c# - How do I properly set up a REST API page with ASP.NET WebPages? -

i'm pretty new server-side programming, decided i'd test of out small website , database. far, working asp.net , cshtml has been absolute breeze, i'm getting actual web api part (making pages can get/post $.ajax real-time results) , i'm having little bit of trouble finding adequate resources on internet. lot of information find extremely vague, not right version of asp.net, or not specific question.

here's run-down of website:

i plan use website medium game development. game developed on ugc gaming platform, , i'd able connect website in-game use various features such player ranking, messaging boards, developer blog, , developer inbox. have design of website planned out, i'm starting work on actual server-side code. there's database contains profiles , profile information of people play game.

if wanted to, example, retrieve list of users play game (for leaderboard), i'd send post request /api/pgiprofiledata.cshtml specific headers , it'd give me json list of people play game (depending on specific parameters). problem is, don't entirely know how configure files accept formatted requests.

here's code have far /api/pgiprofiledata.cshtml. i've commented of explain logic there won't confusion.

@using webmatrix.data; @{     if (request.requesttype != "post")     { //require post request type. not sure if there's another/more efficient way this.         response.statuscode = 400; //web.config executes ~/error.cshtml page automatically         return; //prevent further code running     };     //so request type post, have check if both headers aren't null     if (request.headers["robloxuserid"].isempty() && request.headers["pgirole"].isempty()) {         response.statuscode = 400; //both headers null, display error         return;     }     var db = database.open("pgiconnectionstring"); //connecting w/ connectionstring works fine     ienumerable<dynamic> result; //datatype after querying database table     if (!request.headers["robloxuserid"].isempty()) { //if parameter isn't empty         result = db.query("select * userdata robloxuserid=@0", request.headers["robloxuserid"]); //query specific parameter     } else { //otherwise, use other 1         result = db.query("select * userdata pgirole=@0", request.headers["pgirole"]);     };     var data = result.select(x => new { //convert result json array         pgiprofileid = x.pgiprofileid,         robloxuserid = x.robloxuserid,         pgirole = x.pgirole,     }).toarray();      response.contenttype = "application/json; charset=utf-8"; //set content type     json.write(data, response.output); //return } 

the main concern have code security. i'm not entirely sure can capable malicious intent. can't if method i'm using secure http requests valid or not. far i've tested it, it's been fine, i'd have opinion on. thanks!