2. Web Presentation Technologies

Parameters From HTML Forms

Author: Scott Franson

Objective: (none)


A Short Digression on Parameters: HTTP, HTML, URLS and Servlets

In preparing for the servelet subject, I was sidetracked a bit by how parameters are passed to servlets via URLs, HTTP, and HTML forms. I thought that it would be useful to cover a bit how these parameters are passed to servlets and JSPs.

The most common way parameters are passed are by encoding them within a URL. The URL syntax is:

   <scheme>://<user>:<password>@<host>:<port>/<path>;<params>?<query>#<frag>

The components of a URL are:

As indicated, servelets will use the query portion of a URL to pass input parameters to the servlet or JSP. The format of the query string is name/value pairs separated by ampersands. For example, sending the parameters id and name to myServlet:

   http://www.myServer.com/servlet/myServlet?id=5&name=foo

These parameters (as with all the parameters to a servlet) are parsed by the servlet container for the programmer. Thus, the programmer merely need to call the getParameter method to obtain these values. You must note, however, that it is possible to pass parameters that have multiple values; thus the getParameters method might need to be used to obtain an array of values passed to the servlet.

What does this have to do with J2EE programming? As a developer, you will be writing code that generates URLs to call back to your application, specifying parameters so that you can customize the requested page. These URLs will be contained in normal anchor tags.

Anchor tags are used in HTTP GET requests to request a specific page from the server. An HTTP request consists of a set of headers and a request body. A GET request will use the specified URL in the header portion of the request packet; it does not put any data in the request body. An HTTP POST request, on the other hand, is used to pass data to the server. A POST request will put input parameters and data in the request body.

An HTTP POST is most often initiated by and HTML form. With HTML forms you specify, as part of the form tag, the method, GET or POST, in which the form data will be sent to the server. POST is used with large amounts of input data. Again, the servlet container will parse this for you, so it is looks the same from the point of view of the developer.

So, what method should the developer use in sending HTML form data back to the servlet? If the data is large and exceeds the maximum URL length (officially 256 bytes) then the developer must use a POST method in the form tag. However, with smaller amounts of data either method can be used. Some consideration must be made, however, for security. As mentioned above, a GET method of sending parameters sends them by encoding them in a URL. This implies two things: first, URLs can be bookmarked. If the parameter data is sensitive, such as:

   http://www.myServer.com/servlet/myServlet?username=joe&password=secretPa$$w*rd

you may not want the users to be able to bookmark such URLs. A POST method may instead be used to send the data.

The second security concern with sending paramters via URLs and a GET request is that if a page is reloaded on the browser, the entire URL (with all it's encoded paramters) is again sent to the server. If your application assumes only one request with that specific data, chaos can ensue. (Think of a shopping cart application where an impatient user clicks the Submit button or reloads the page multiple times.) If you were to use a POST method of sending the data, the user will get a "reload warning" in the browser indicating that the data cannot be sent again.

Remember, regardless of how your application gets its data, it is good practice to validate the data before your application acts on it. Here are some suggestions:

In summary, this is when to use GET and POST methods for sending data to your application: