Reputation: 115
Java servlet : request.getParameter() returns a parameter from the query string in a POST request
I'm currently developing a Servlet that runs under Glassfish 4.
I implemented the doPost() method and I need to ensure that the parameters are passed using the POST body, and not in the query string.
I wrote a test implementation to check it:
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String name = request.getParameter("name");
response.getOutputStream().print(name);
}
If I call my page with POST with this url:
http://localhost:8080/myservlet/testservlet
and pass name=Nico into the post body, the value Nico is returned, and it's okay.
Now if I call it this way:
http://localhost:8080/myservlet/testservlet?name=Robert
and I still pass name=Nico in the POST body, Robert is returned, and the name=Nico is ignored.
I just would like to avoid parameters to be passed in the URL.
Is there a way to explicitly retrieve parameters from the POST body instead of body + query string?
Upvotes: 4
Views: 17241
Answers (4)
Reputation:
In most cases, you can read both of them using getParameterValues, the first one is query string and the second one is post body. Now you can decide which one to use.
String[] lines = request.getParameterValues("name");
Upvotes: 2
Reputation: 1755
I think it is a problem of front end code, instead of servlet. Any post request submission from UI should strip query string.
Upvotes: -2
Reputation: 108
Check the javadoc for the getParameter method:
Like it is stated, you are sending 2 parameters on the request with the same name, one from the query string and another on the body.
Now it is up to you to either validate that no parameter is coming from the query string or read directly values from the request body.
Upvotes: 2
Reputation: 489
Did you check what request.getAttribute() returns?
Anyway you can't avoid that people will try to send you evil data, either in the url or by tinkering with the post-request.
So when you work with input from a website, always imagine a hacker sitting on the other side and sending you evil content in your parameters, like sql-injections. So you need a good validation to only let good content through to your database.
Because it's not your problem if a user enters his username as a parameter in the url. Let him have the fun, if he prefers this way over the input-field. The hackers are the problem.
Upvotes: 0
Related Questions
- Servlet getParameter() returns null for form-data
- What is the behaviour of getParameter for post and get actions?
- Java Servlet Form Post issue : getParameters() return null values
- request.getParameter() returns null in servlet except for one parameter
- Reading parameter from the request in Servlet
- How do I separate out query string params from POST data in a java servlet
- HttpServletRequest.getParameter losing parameter
- Servlet request.getParameter() not working as expected
- request.getParameter() returns NULL in java servlet on calling it from another servlet
- request.getParameter("param") doesn't return value, when the param=xyz%