A typical URL containing a query string is as follows:
When a server receives a request for such a page, it runs a program (if configured to do so), passing the query_string unchanged to the program. The question mark is used as a separator and is not part of the query string.A link in a web page may have a URL that contains a query string. However, the main use of query strings is to contain the content of an HTML form, also known as web form. In particular, when a form containing the fields field1, field2, field3 is submitted, the content of the fields is encoded as a query string as follows:
- The query string is composed of a series of field-value pairs.
- The field-value pairs are each separated by an equal sign.
- The series of pairs is separated by the ampersand, '&'.
You can use the fields to create arrays of values. In which case the syntax is:
This will create an array, field with 3 values. You can also add the keys yourself in the square brackets if required.For each field of the form, the query string contains a pair field=value. Web forms may include fields that are not visible to the user; these fields are included in the query string when the form is submitted.This 'name then equal sign then value then ampersand' convention is a W3C recommendation. They also provide a further appendix entry that recommends the use of a semicolon instead of an ampersand.Technically, the form content is only encoded as a query string when the form submission method is GET. The same encoding is used by default when the submission method is POST, but the result is not sent as a query string, that is, is not added to the action URL of the form. Rather, the string is sent as the body of the request.Security
A URL query string allows for flexibility in retrieving data from a web server and possibly from the database used to populate pages for that web server. A read only data store, such as a weather mapping service, is one example where URL query strings can be used with great flexibility.In some circumstances, a URL query string may expose security issues because it can be edited by a user to retrieve data that they do not have access to. In particular, a URL query string containing a username and password could be used with a dictionary attack to guess at valid login credentials to a particular web site. Most secure webservers use at least MD5 hash checking, or more powerful encoding methods to validate all given strings.
Need help with this feature or have questions? You can contact our support team at email@example.com