Kahless - 8:28 pm on Jan 30, 2010 (gmt 0)

I notice many sites allow page load if a user adds an additional query string variable to the URL. Sites and code I am familiar with just ignore the unwanted query string variable. What are the ramifications of restricting to your own keys or not restricting at all? If you are ignoring the unwanted variables does it matter at all?

The last bit of code I wrote I designed the CMS to intentionally 404 error if the end user adds a bogus query string variable. I am wondering perhaps this is a bad idea since other sites are allowing it for some reason and I remember once seeing in my apache logs some search engine bots adding bogus query strings to the URL when crawling my site.

For example authorized query

test.com?id=1&a=b

Bad query (user added f variable)
test.com?id=1&a=b&f=http://www.webmasterworld.com

^^I would normally drop this but see other sites do not.