Secret ingredients to quality software

Do you always use query strings?

Last updated by Tiago Araujo on 26 Aug 2016 05:45 pm (almost 5 years ago) See History

When you build a web application, any dynamic page you think a user may wish to bookmark directly should be controlled through query string values rather than form values. In other words, search mechanisms should use the HTTP GET Request and Querystring values, rather than a POST with Form values. This allows:

  • Bookmarking of the pages
  • Gives the user to the ability to change the query string values in the address bar, rather than having to go back to the input form.

Figure: The URL should always have all the parameters the user enters. Here Google is a good example

You may hear that query strings are bad and they leave you wide open to SQL Injection Attacks (especially when you use SQL statements in the URL). I don't subscribe to the security issues being the determining factor... if I am determined enough, I can write a little application to send POST data to the webpage instead of in the query string. Both methods are open to SQL injection and invalid parameters, so you need to code to prevent that either way.

The bottom line is that if you are not giving appropriate parameters in the query string then you are reducing functionality.

Note: We all agree bookmarks are useful - it's the same for query strings.

Adam CoganAdam Cogan

We open source. This page is on GitHub