query string, extension of a website’s uniform resource locator (URL) that sends additional information to a database. The information within the parameters is sent in the form of key-value pairs (sometimes referred to as field-value pairs, name-value pairs, or attribute-value pairs). The key is a constant defining a data set (e.g., country). The value is a variable belonging to that set (e.g., Germany).
One example of using a query string is the act of entering key words into a search engine. The key words are used as the values of the query string that a search engine generates to find results. How those parameters are used—or even if they are used—depends on the website that receives the query string. A server may respond by either reading a file from its system or processing the query string according to logic specifically reserved for the requested resource.
A standard query string typically starts after a URL’s first question mark (?). Each key and its corresponding value are separated by an equal sign (=). If there are multiple parameters, an ampersand (&) is placed between each set. The query string ends either with a number sign (#) or at the conclusion of the URL. Such a path with a query string might appear like this: /search?country=germany&city=berlin&language=german.
One key can usually be linked to multiple values. In such cases, the key-value data’s format can be standard (e.g., ?key1=value1&key1=value2) or serialized. In a serialized format, each value is separated from the others by punctuation such as a semicolon (;) or a comma (,). For example, the key “country” might be followed by the required equal sign and then “germany;bahrain;mexico.”
Query strings are not standardized. The traditional symbols are only recommendations of the World Wide Web Consortium (W3C), and the maximum length of query strings varies by Web browser.
Query strings allow websites to track where their visitors come from. For example, an online advertisement for shoes, once clicked, will send a URL to the shoe company’s website, which will bring the visitor to that site. Query strings employed for this purpose are called Urchin Tracking Modules (UTMs). If the online advertisement is on Facebook, the shoe company may append a query string to that URL marking Facebook as the source (e.g., ?source=facebook). The shoe company can thus learn how many of its visitors arrive due to its Facebook ads as opposed to those it posts on other sites.
Query strings can also be used to track where a visitor goes next. When a URL is read by a website, the site can append a unique identifier to the query strings generated by the visitor thereafter. This identifier can be invisibly tracked by the website or a third party.
Query strings present security issues in that key-value pairs sometimes include sensitive information, such as usernames and passwords. One common solution to this vulnerability is the use of unusual or randomly generated sets of characters for key-value pairs. This method does not seal off the data, but it does makes it virtually impossible to guess parameters’ valid values. Another option is to place all the data in a JSON Web token (JWT), which is a base-64 representation of the data protected by a signature. When thus encoded, tampering with the query string’s data is impossible; the parameters are tied together and cannot be altered without being detected. The drawback is that this technique naturally increases the query string’s size.