Home
Do you always use query strings?
  v1.0 Posted at 27/08/2016 3:45 AM by Tiago Araujo

When you build a web application, any dynamic page you think a user may wish to bookmark directly should be controlled through query string values rather than form values. In other words, search mechanisms should use the HTTP GET Request and Querystring values, rather than a POST with Form values. This allows:

  • Bookmarking of the pages
  • Gives the user to the ability to change the query string values in the address bar, rather than having to go back to the input form.

querystring.png
Figure: The URL should always have all the parameters the user enters. Here Google is a good example

You may hear that query strings are bad and they leave you wide open to SQL Injection Attacks (especially when you use SQL statements in the URL). I don't subscribe to the security issues being the determining factor... if I am determined enough, I can write a little application to send POST data to the webpage instead of in the query string. Both methods are open to SQL injection and invalid parameters, so you need to code to prevent that either way.​

The bottom line is that if you are not giving appropriate parameters in the query string then you are reducing functionality.

Note: We all agree bookmarks are useful - it's the same for query strings.


Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address:

    Comments:

    Note: Social Media login for Yotpo is not working in IE or Safari, please use Chrome. We are waiting for Yotpo to fix it.