Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Allowing Unwanted Query String Variables

Best practices question



8:28 pm on Jan 30, 2010 (gmt 0)

10+ Year Member

I notice many sites allow page load if a user adds an additional query string variable to the URL. Sites and code I am familiar with just ignore the unwanted query string variable. What are the ramifications of restricting to your own keys or not restricting at all? If you are ignoring the unwanted variables does it matter at all?

The last bit of code I wrote I designed the CMS to intentionally 404 error if the end user adds a bogus query string variable. I am wondering perhaps this is a bad idea since other sites are allowing it for some reason and I remember once seeing in my apache logs some search engine bots adding bogus query strings to the URL when crawling my site.

For example authorized query


Bad query (user added f variable)

^^I would normally drop this but see other sites do not.


9:21 pm on Jan 30, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

I tend to code in such a way that it doesn't matter if any other bogus values are specified.

if(isset($_GET['WhatImInterestedIn']) && $_GET['WhatImInterestedIn'] == "validString") {
} elseif(isset($_GET['WhatImInterestedIn']) && $_GET['WhatImInterestedIn'] == "validStringTwo") {
Page two
} else {
Generic home page

They can specify all the extra values they like and it'll make no difference - so why 404 it?


9:54 pm on Jan 30, 2010 (gmt 0)

10+ Year Member

They can specify all the extra values they like and it'll make no difference - so why 404 it?

I was concerned they could use the url for some nefarious purpose I am not familiar with. So as long as my app is ignoring it I am ok then so something like this is not a concern?


But something like this I still have to 404 and strip <script>bad code</script> I assume?

test.com?id=233&f=http://www.othersite.com/dosomething<script>bad code</script>


10:04 pm on Jan 30, 2010 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Any client request for any non-canonical URL -- including the query string appended to that URL, should be 301-redirected to the canonical URL.

If you do not validate URLs and query strings, you're allowing *anyone* to create a duplicate-content issue for your site -- whether accidentally or intentionally.



6:05 am on Jan 31, 2010 (gmt 0)

10+ Year Member

The URL is checked for validity and if it requires query string keys they are checked for validity.
If a key shows up that is not used I 404 it and if it is used but has bad data I send a 400 "bad request.

I however tested sending a bogus query string key to a valid page on a few of the most popular web sites on the internet and they still accept the request as http 200.

I am therefore thinking maybe I need to be less restrictive -- allow bogus keys in the URL and not redirect like they do. This since if your top websites are handling it that way maybe there is some good reason I am not aware of. (maybe some search engines that I see sending bogus keys in my logs)

Maybe I am just over thinking security measures and this is a non-issue. I always worry I am not doing enough or am I doing too much when it comes to security.


Featured Threads

Hot Threads This Week

Hot Threads This Month