web-app6 min

Query Parameters and Search

URL query parameters — the ?key=value part of a URL — let users filter and search without submitting a form. /posts?tag=tutorial shows only tagged posts. req.query() reads them all.

req.query() reads ?key=value from the URL, or returns empty string if absent:

    GET "/posts" :\n        string tag = req.query("tag")\n        string sql = ""\n        string params = "[]"\n\n        if tag != ""\n            sql = "SELECT title, slug FROM posts WHERE tag = ? ORDER BY created_at DESC"\n            params = "[\\"" + tag + "\\"]"\n        else\n            sql = "SELECT title, slug FROM posts ORDER BY created_at DESC"\n\n        string result = db.query(sql, params)

GET /posts          → all posts\nGET /posts?tag=tips → only posts tagged "tips"

req.query("tag") returns the ?tag= value or empty string if it is missing. Build different SQL branches based on whether the filter is set — but always use ? placeholders, never concatenate query values directly into SQL.

Show the active filter in the page so users know what they're looking at:

        string heading = "All Posts"\n        if tag != ""\n            heading = "Posts tagged: " + tag\n\n        html:\n            <h1>{heading}</h1>

GET /posts?tag=tips → heading reads: Posts tagged: tips

The heading variable is auto-escaped when interpolated, so if someone puts HTML in the URL, it renders as harmless text, not executable code. Always use plain interpolation (no !) for user-supplied values in output.

Quick recap

req.query("key") reads ?key=value from the URL — returns empty string if absent
Check if the value is not empty before deciding which SQL branch to run
Always use ? placeholders — never concatenate query string values into SQL
Plain interpolation auto-escapes user input in HTML output — safe against XSS