Query Strings

Query Strings are a handy way of passing data to a page we want to load. They are used commonly for passing the parameters used for a search. Consider the following (simplified) URL: http://www.amazon.co.uk/?keywords=kindle

Notice that after the URL follows a Question Mark (?) and then there is a named parameter - in this case 'keywords' then an equals, and then a value. A query string can contain a number of parameters with values, e.g. http://someurl.com?parameter=abc&anotherParameter=123

Query string Parameters should be separated by an ampersand(&).

ASP.NET reads these parameters and can use them for processing. Taking the above URL as an example, the following method will extract the value for the keywords parameter.

string searchTerm = Request.QueryString["keywords"];

We can then do further processing using this value.

It is important to note that the user can modify the value in the query string with ease, so we should not pass sensitive information in the query string, such as transaction values or passwords, and we should be aware that malicious users may try to modify the query string and cause undesired behaviour of our website, and we should apply appropriate techniques to guard against this.