当前位置: 动力学知识库 > 问答 > 编程问答 >

Java servlet : request.getParameter() returns a parameter from the query string in a POST request

问题描述:

I'm currently developing a Servlet that runs under Glassfish 4.

I implemented the doPost() method and I need to ensure that the parameters are passed using the post body, and not in the query string.

I wrote a test implementation to check it :

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

String name = request.getParameter("name");

response.getOutputStream().print(name);

}

If I call my page with POST with this url :

http://localhost:8080/myservlet/testservlet

and pass name=Nico into the post body, the value Nico is returned, and it's okay.

Now if I call it this way :

http://localhost:8080/myservlet/testservlet?name=Robert

and I still pass name=Nico in the post body, Robert is returned, and the name=Nico is ignored.

I just would like to avoid parameters to be passed in the URL.

Is there a way to explicitly retrieve parameters from the post body instead of body + query string?

Many thanks for your help,

Nicolas

网友答案:

Check the javadoc for the getParameter method:

https://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/ServletRequest.html#getParameter%28java.lang.String%29

Like it is stated, you are sending 2 parameters on the request with the same name, one from the query string and another on the body.

Now it is up to you to either validate that no parameter is coming from the query string or read directly values from the request body.

网友答案:

Did you check what request.getAttribute() returns?

Anyway you can't avoid that people will try to send you evil data, either in the url or by tinkering with the post-request.

So when you work with input from a website, always imagine a hacker sitting on the other side and sending you evil content in your parameters, like sql-injections. So you need a good validation to only let good content through to your database.

Because it's not your problem if a user enters his username as a parameter in the url. Let him have the fun, if he prefers this way over the input-field. The hackers are the problem.

网友答案:

I think it is a problem of front end code, instead of servlet. Any post request submission from UI should strip query string.

网友答案:

You can read both of them using getParameterValues, the first one is query string and the second one is post body. Now you can decide which one to use.
String[] lines = request.getParameterValues("name");

分享给朋友:
您可能感兴趣的文章:
随机阅读: