Query String
FormatDefinition
A query string is the part of a URL after the ? character, containing key-value pairs separated by & (e.g., ?page=2&sort=date). Query strings pass parameters to web servers and are commonly used for search filters, pagination, tracking, and API parameters.
Query String Syntax and Rules
The query string starts after the ? character and ends before the # fragment identifier. Key-value pairs use = as the separator and & between pairs: ?name=John&city=New+York&page=2. Keys and values must be URL-encoded: spaces become + in form-encoded data or %20 in percent-encoding, and reserved characters like & = # must be percent-encoded when they appear as literal values. Keys can repeat to represent arrays: ?color=red&color=blue is parsed as an array by most web frameworks. Keys without values (?debug&verbose) are valid and typically evaluate to null or an empty string depending on the parser. The HTTP specification does not guarantee query string key order, but most web frameworks preserve the order they receive. Maximum URL length is browser and server dependent: roughly 2,048 characters in older browsers, up to 32 kilobytes in Chrome, and around 8 kilobytes in many web servers. When query strings would exceed these limits, switch to a POST request with the parameters in the request body instead.
Parsing Query Strings in Code
JavaScript in the browser: const params = new URLSearchParams(window.location.search); params.get('name') returns the first value for that key. Node.js: const url = new URL(req.url, 'http://localhost'); url.searchParams provides the same API. Python: from urllib.parse import parse_qs, urlparse; parsed = parse_qs(urlparse(url).query) returns a dict of arrays. PHP: $_GET['name'] is automatically parsed from the query string. Go: r.URL.Query().Get('name'). Ruby on Rails: params[:name]. Express.js: req.query.name. A notable difference between parsers is that parse_qs in Python always returns arrays for all values, while URLSearchParams.get() in JavaScript returns only the first value for a key. For arrays in query strings, common conventions are: repeated keys (?tags=a&tags=b), bracket notation (?tags[]=a&tags[]=b used by PHP and Rails), or comma-separated values (?tags=a,b) which requires application-level parsing.
Query Strings vs Path Parameters vs Request Body
Query strings are intended for optional, non-identifying parameters: filters, sorting options, pagination controls, and search terms. They appear in browser history, server logs, and Referer headers sent to third-party resources, so they should not carry sensitive data. Path parameters (/users/123) identify a specific resource and are part of the URL's canonical identity. Request bodies in POST or PUT requests are used for sensitive data, large payloads, and state-changing operations. From an SEO perspective, Googlebot crawls and indexes URLs including query strings, but may not crawl every parameter combination. Use canonical link elements or Google Search Console URL parameters settings to prevent duplicate content from parameter variations. REST API convention puts resource identity in the path and optional filtering in the query string: GET /users?sort=name&limit=20&offset=40 is idiomatic. Avoid putting authentication tokens or passwords in query strings; use the Authorization header or POST body instead.
Related Tools
Frequently Asked Questions
Related Terms
Regular Expression
A regular expression (regex) is a sequence of characters defining a search pattern. Regex is used for string matching, validation, extraction, and substitution in virtually all programming languages. Despite complex syntax, regex is an essential tool for text processing.
Cron Expression
A cron expression is a string of 5-6 fields defining a recurring schedule for automated tasks. Cron is the Unix job scheduler; cron expressions are also used in cloud functions, CI/CD pipelines (GitHub Actions), and backend frameworks to schedule periodic jobs.
UUID
A UUID (Universally Unique Identifier) is a 128-bit identifier formatted as 32 hex digits in 5 groups (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx). UUIDs are designed to be unique across all systems without central coordination. UUID v4 is random; UUID v7 is time-sortable.
ULID
ULID (Universally Unique Lexicographically Sortable Identifier) is a 128-bit identifier that combines a 48-bit timestamp with 80 bits of randomness. ULIDs are URL-safe, case-insensitive, and lexicographically sortable, solving UUID v4's random ordering problem for database indexes.