The QueryString collection retrieves the values of the variables in the HTTP query string. The HTTP query string is specified by the values following the question mark (?). Several different processes can generate a query string. For example, the following anchor tag generates a variable named string with the value "this is a sample."
<A HREF="example.asp?string=this is a sample">string sample</A>
Query strings are also generated by sending a form or by a user typing a query into the address box of the browser.
Query strings are contained in request headers. It is wise to not trust the data that is contained in headers, as this information can be falsified by malicious users. For example, do not rely on data such as cookies to securely identify a user.
As a security precaution, always encode header data or user input before using it. A general method of encoding data is to use Server.HTMLEncode. Alternatively, you can validate header data and user input with a short function such as the one described in Validating User Input to Avoid Attacks. For more detailed information about developing secure Web applications, see chapter 12 of MS Press - Writing Secure Code.
The QueryString collection is a parsed version of the QUERY_STRING variable in the ServerVariables collection. It enables you to retrieve the QUERY_STRING variable by name. The value of Request.QueryString(parameter) is an array of all of the values of parameter that occur in QUERY_STRING. You can determine the number of values of a parameter by calling Request.QueryString(parameter).Count. If a variable does not have multiple data sets associated with it, the count is 1. If the variable is not found, the count is 0.
To reference a QueryString variable in one of multiple data sets, you specify a value for index. The index parameter can be any value between 1 and Request.QueryString(variable).Count. If you reference one of multiple QueryString variables without specifying a value for index, the data is returned as a comma-delimited string.
When you use parameters with Request.QueryString, the server parses the parameters sent to the request and returns the specified data. If your application requires unparsed QueryString data, you can retrieve it by calling Request.QueryString without any parameters.
You can use an iterator to loop through all the data values in a query string. For example, if the following request is sent:
And Names.asp contained the following script:
--- Names.asp --- <% For Each item In Request.QueryString("Q") Response.Write Request.QueryString("Q")(item) & "<BR>" Next %>
Names.asp would display the following:
The preceding script could also have been written using Count, as shown in the following code sample.
<% For i = 1 To Request.QueryString("Q").Count Response.Write Request.QueryString("Q")(i) & "<BR>" Next %>
The following client request:
Results in the following QUERY_STRING value:
The QueryString collection would then contain two members, name and age. You can then use the following script:
Welcome, <%= Request.QueryString("name") %>. Your age is <%= Request.QueryString("age") %>.
The output is:
Welcome, Fred. Your age is 22.
If the following script is used:
The unparsed query string is: <%=Request.QueryString %>
The output is:
The unparsed query string is: name=fred&age=22
Client: Requires Windows XP Professional, Windows 2000 Professional, or Windows NT Workstation 4.0.
Server: Requires Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0.