From Wikipedia, the free encyclopedia - View original article
In the World Wide Web, a query string is the part of a uniform resource locator (URL) containing data that does not fit conveniently into a hierarchical path structure. The query string commonly includes fields added to a base URI by a Web browser or other client application, for example as part of an HTML form.
A web server can handle a Hypertext Transfer Protocol request either by reading a file from its file system based on the URL path or by handling the request using logic that is specific to the type of resource. In the case that special logic is invoked the query string will be available to that logic for use in its processing, along with the path component of the URL.
A typical URL containing a query string is as follows:
When a server receives a request for such a page, it may run a program, passing the
query_string unchanged to the program. The first question mark is used as a separator and is not part of the query string.
A link in a web page may have a URL that contains a query string, while HTML additionally defines three ways a user agent can generate the query string:
ismapattribute on the
<img>element with a
The main use of query strings is to contain the content of an HTML form, also known as web form. In particular, when a form containing the fields
field3 is submitted, the content of the fields is encoded as a query string as follows:
&' (or semicolon, '
;' for URLs embedded in HTML and not generated by a
<form>...</form>; see below).
For each field of the form, the query string contains a pair
field=value. Web forms may include fields that are not visible to the user; these fields are included in the query string when the form is submitted
This convention is a W3C recommendation. W3C recommends that all web servers support semicolon separators in addition to ampersand separators to allow application/x-www-form-urlencoded query strings in URLs within HTML documents without having to entity escape ampersands.
The form content is only encoded in the URI's query string when the form submission method is GET. The same encoding is used by default when the submission method is POST, but the result is submitted as the HTTP request body rather than being included in a modified URL.
Some characters cannot be part of a URL (for example, the space) and some other characters have a special meaning in a URL: for example, the character
# can be used to further specify a subsection (or fragment) of a document. In HTML forms the character
= is used to separate a name from a value. The URI generic syntax uses URL encoding to deal with this problem, while HTML forms make some additional substitutions rather than applying percent encoding for all such characters.
The HTML specifies the following transformation:
+' or "
z), numbers (
9) and the characters '
.' and '
_' are left as-is
%HHhex representation with any non-ASCII characters first encoded as UTF-8 (or other specified encoding)
The octet corresponding to the tilde ("
~") is permitted in query strings by RFC3986 but required to be percent-encoded in HTML forms to "
The encoding of SPACE as '
+' and the selection of "as-is" characters distinguishes this encoding from RFC 3986.
<form action="cgi-bin/test.cgi" method="get"> <input type="text" name="first" /> <input type="text" name="second" /> <input type="submit" /> </form>
and the user inserts the strings “this is a field” and “was it clear (already)?” in the two text fields and presses the submit button, the program
test.cgi will receive the following query string:
A program receiving a query string can ignore part or all of it. If the requested URL corresponds to a file and not to a program, the whole query string is ignored. However, regardless of whether the query string is used or not, the whole URL including it is stored in the server log files.
These facts allow query strings to be used to track users in a manner similar to that provided by HTTP cookies. For this to work, every time the user downloads a page, a unique identifier must be chosen and added as a query string to the URLs of all links the page contains. As soon as the user follows one of these links, the corresponding URL is requested to the server. This way, the download of this page is linked with the previous one.
For example, when a web page containing the following is requested:
<a href="foo.html">see my page!</a> <a href="bar.html">mine is better</a>
a unique string, such as
e0a72cb2a2c7 is chosen, and the page is modified as follows:
<a href="foo.html?e0a72cb2a2c7">see my page!</a> <a href="bar.html?e0a72cb2a2c7">mine is better</a>
The addition of the query string does not change the way the page is shown to the user. When the user follows, for example, the first link, the browser requests the page
foo.html?e0a72cb2a2c7 to the server, which ignores what follows
? and sends the page
foo.html as expected, adding the query string to its links as well.
This way, any subsequent page request from this user will carry the same query string
e0a72cb2a2c7, making it possible to establish that all these pages have been viewed by the same user. Query strings are often used in association with web beacons.
The main differences between query strings used for tracking and HTTP cookies are that:
According to the HTTP specification:
Various ad hoc limitations on request-line length are found in practice. It is RECOMMENDED that all HTTP senders and recipients support, at a minimum, request-line lengths of 8000 octets.
If the URL is too long, the web server fails with the 414 Request-URI Too Long HTTP status code.
The common workaround for these problems is to use POST instead of GET and store the parameters in the request body. The length limits on request bodies are typically much higher than those on URL length. For example, the limit on POST size, by default, is 2 MB on IIS 4.0 and 128 KB on IIS 5.0. The limit is configurable on Apache2 using the
LimitRequestBody directive, which specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2 GB) that are allowed in a request body.