Query string

In the World Wide Web, a query string is the part of a URL that contains data to be passed to web applications such as CGI programs.

When a web page is requested via the Hypertext Transfer Protocol, the server locates a file in its file system based on the requested URL. This file may be a regular file or a program. In the second case, the server may (depending on its configuration) run the program, sending its output as the required page. The query string is a part of the URL which is passed to the program. Its use permits data to be passed from the HTTP client (often a browser) to the program which generates the web page.

tructure

A typical URL containing a query string is as follows:

:http://server/path/program?query_string

When a server receives a request for such a page, it runs a program (if configured to do so), passing the query_string unchanged to the program. The question mark is used as a separator and is not part of the query string.

A link in a web page may have a URL that contains a query string. However, the main use of query strings is to contain the content of an HTML form, also known as web form. In particular, when a form containing the fields field1, field2, field3 is submitted, the content of the fields is encoded as a query string as follows:

:field1=value1&field2=value2&field3=value3...

* The query string is composed of a series of field-value pairs.
* The field-value pairs are each separated by an equal sign.
* The series of pairs is separated by the ampersand, '&'.
* You can use the fields to create arrays of values. In which case the syntax is:

:field [] =value1&field [] =value2&field [] =value3...

This will create an array, field with 3 values. You can also add the keys yourself in the square brackets if required.

For each field of the form, the query string contains a pair field=value. Web forms may include fields that are not visible to the user; these fields are included in the query string when the form is submitted.

This 'name then equal sign then value then ampersand' convention is a W3C recommendation [http://www.w3.org/TR/REC-html40/interact/forms.html#form-content-type] . They also provide a further appendix entry [http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2] that recommends the use of a semicolon instead of an ampersand.

Technically, the form content is only encoded as a query string when the form submission method is GET. The same encoding is used by default when the submission method is POST, but the result is not sent as a query string, that is, is not added to the action URL of the form. Rather, the string is sent as the body of the request.

URL encoding

Some characters cannot be part of a URL (for example, the space) and some other characters have a special meaning in a URL: for example, the character # is used to locate a point within a page; the character = is used to separate a name from a value. A query string may need to be converted to satisfy these constraints. This can be done using a schema known as URL encoding.

In particular, encoding the query string uses the following rules:
* Letters (A-Z and a-z), numbers (0-9) and the characters '.', '-', '~' and '_' are left as-is
* SPACE is encoded as '+'
* All other characters are encoded as %FF hex representation with any non-ASCII characters first encoded as UTF-8 (or other specified encoding)

The encoding of SPACE as '+' and the selection of "as-is" characters distinguishes this encoding from RFC 1738.

RFC

As defined in RFC 1738, a URL of scheme http can contain a "searchpart" following the rest of the URL and separated from it by a ? character. RFC 3986 specifies that the "query component" of an URI is the part between the ? and the end of the URI or the character #. The term "query string" is of common usage for referring to this part for the case of HTTP URLs.

Example

If a form is embedded in an HTML page as follows:

and the user inserts the strings “this is a field” and “was it clear (already)?” in the two text fields and presses the submit button, the program test.cgi will receive the following query string: first=this+is+a+field&second=was+it+clear+%28already%29%3F

If the form is processed on the server by a CGI script, the script may typically receive the query string as an environment variable named QUERY_STRING.

Tracking

A program receiving a query string can ignore part or all of it. If the requested URL corresponds to a file and not to a program, the whole query string is ignored. However, regardless of whether the query string is used or not, the whole URL including it is stored in the server log files.

These facts allow query strings to be used to track users in a manner similar to that provided by HTTP cookies. For this to work, every time the user downloads a page, a unique identifier is chosen and added as a query string to the URLs of all links the page contains. As soon as the user follows one of these links, the corresponding URL is requested to the server. This way, the download of this page is linked with the previous one.

For example, when a web page containing the following is requested: see my page! mine is better

a unique string, such as sdfsd23423 is chosen, and the page is modified as follows: see my page! mine is better

The addition of the query string does not change the way the page is shown to the user. When the user follows, for example, the first link, the browser requests the page frank.html?sdfsd23423 to the server, which ignores what follows ? and sends the page frank.html as expected, adding the query string to its links as well.

This way, any subsequent page request from this user will carry the same query string sdfsd23423, making it possible to establish that all these pages have been viewed by the same user. Query strings are often used in association with web beacons.

The main differences between query strings used for tracking and HTTP cookies are that:
# Query strings form part of the URL, and are therefore included if the user saves or sends the URL to another user; cookies can be maintained across browsing sessions, but are not saved or sent with the URL.
# If the user arrives at the same web server by two (or more) independent paths, it will be assigned two different query strings, while the stored cookies are the same.

Flexibility vs. Security

A URL query string allows for flexibility in retrieving data from a web server and possibly from the database used to populate pages for that web server. A read only data store, such as a weather mapping service, is one example where URL query strings can be used with great flexibility.

In some circumstances, a URL query string may expose security issues because it can be edited by a user to retrieve data that they do not have access to. In particular, a URL query string containing a username and password could be used with a dictionary attack to guess at valid login credentials to a particular web site. Most secure webservers use at least MD5 hash checking, or more powerful encoding methods to validate all given strings.

ee also

* URI scheme
* HyperText Transfer Protocol
* Common Gateway Interface
* HTTP cookie
* Web beacon

External links

* RFC 1738
* RFC 3986