{qs:variable_name:delimiter}

Description

Reads a variable from the current HTTP request and returns its value as text. With a variable name it returns that GET, POST, or cookie parameter (it looks in _REQUEST, then a JSON request body, then the parsed query string); called bare as qs with no name it returns the entire raw query string. If the matched value is an array (a repeated parameter, or one written with [] brackets), it is joined with the delimiter you pass, or encoded as JSON when you pass none. This is a never-cached, request-dependent reader: its output changes with every request, so it is never part of the cached page. It does NOT escape its output - printing a raw qs value into an HTML page is an XSS risk. Use the sibling qss command, which is exactly safe applied to qs, whenever the value goes into HTML.

Parameters

variable_name optional default (none - bare qs returns the whole query string)

Name of the request variable to read (a GET, POST, or cookie key). To read a bracketed/array form field, give the exact posted name including the brackets, e.g. aa[n1000_...][con_email_______][]. Omit the name entirely (bare qs) to return the whole raw query string instead of one variable.

delimiter optional default (none - arrays are returned as JSON)

Separator used to join the parts when the matched variable is an array (a repeated parameter or a name ending in []). If you omit it, an array value is returned as a JSON-encoded string instead of being joined. Has no effect on plain scalar values.

Examples

virtual{qs:surname}

ExpectedHavel (for ...?surname=Havel)

The everyday use: read one GET/POST parameter by name. For the URL ...page?surname=Havel this returns the value of surname. On a page with no such parameter it returns an empty string.

test[{qs:this_param_is_never_set_xyz}]

Expected[]

Actual[]

Reading a parameter that is not present in the request yields an empty string - never an error. The brackets here just make the empty result visible.

virtual{qs}

Expectedsurname=Havel&lang=cz (for ...?surname=Havel&lang=cz)

Called with no variable name, qs returns the entire raw query string of the current request (everything after the ? in the URL, GET and POST together).

virtual{qs:tag:, }

Expectednews, eu (for ...?tag=news&tag=eu)

When a parameter appears several times (or is posted as an array), the second argument is the separator used to join the parts. For ...?tag=news&tag=eu this returns the parts joined by a comma and space.

virtual{qs:tag}

Expected["news","eu"] (for ...?tag=news&tag=eu)

With no delimiter, an array-valued parameter comes back JSON-encoded rather than joined. Useful when you want to pass the raw list on to another command. For ...?tag=news&tag=eu the result is a JSON array.

virtualYou searched for: {qss:hledej}

ExpectedYou searched for: <b> (for ...?hledej=)

ActualYou searched for:

qs does NOT escape its output, so echoing a raw URL value into a page is an XSS hole. The qss sibling is exactly safe applied to qs: it HTML-encodes the value. Always use qss when the value lands in HTML. For ...?hledej=<b> the angle brackets come back encoded.

virtual{qs:aa[n1000_31][con_email_______][]}

Expectedvisitor@example.org (for that posted field)

When the request variable name itself contains square brackets (an AA form field posted as an array), give the exact posted name including the brackets. qs then parses the raw query string for that literal key and returns its value as posted.

test[{qss:this_param_is_never_set_xyz}]

Expected[]

Actual[]

The safe variant qss behaves like qs for a missing parameter - an absent value HTML-encodes to nothing - so it too returns an empty string here.

← All expressions