51

I am trying to figure out how to pass multiple parameters in a URL. I want to pass latitude and longitude from my android class to a java servlet. How can I do that?

URL url;
double lat=touchedPoint.getLatitudeE6() / 1E6;
double lon=touchedPoint.getLongitudeE6() / 1E6;
url = new URL("http://10.0.2.2:8080/HelloServlet/PDRS?param1="+lat+lon);

In this case output (written to file) is 28.53438677.472097. This is working but I want to pass latitude and longitude in two separate parameters so that my work at server side is reduced. If it is not possible how can I at least add a space between lat & lon so that I can use tokenizer class to get my latitude and longitude. I tried following line but to no avail. 

    url = new URL("http://10.0.2.2:8080/HelloServlet/PDRS?param1="+lat+" "+lon);
output- Nothing is written to file
        url = new URL("http://10.0.2.2:8080/HelloServlet/PDRS?param1="+lat+"&?param2="+lon);
output- 28.534386 (Only Latitude)
        url = new URL("http://10.0.2.2:8080/HelloServlet/PDRS?param1="+lat+"?param2="+lon);
output- 28.532577?param2=77.502996

My servlet code is as follows:

req.setCharacterEncoding("UTF-8");
resp.setCharacterEncoding("UTF-8");
final String par1 =  req.getParameter("param1");
final String par2 = req.getParameter("param2");
FileWriter fstream = new FileWriter("C:\\Users\\Hitchhiker\\Desktop\\out2.txt");
BufferedWriter out = new BufferedWriter(fstream);
out.write(par1);
out.append(par2);
out.close();

Also I wanted to the know is this the most safe and secured way to pass the data from android device to server.

Nexaspx
  • 371
  • 4
  • 20
rishiag
  • 2,248
  • 9
  • 32
  • 57

3 Answers3

78

This

url = new URL("http://10.0.2.2:8080/HelloServlet/PDRS?param1="+lat+"&param2="+lon);

must work. For whatever strange reason1, you need ? before the first parameter and & before the following ones.

Using a compound parameter like

url = new URL("http://10.0.2.2:8080/HelloServlet/PDRS?param1="+lat+"_"+lon);

would work, too, but is surely not nice. You can't use a space there as it's prohibited in an URL, but you could encode it as %20 or + (but this is even worse style).

1 Stating that ? separates the path and the parameters and that & separates parameters from each other does not explain anything about the reason. Some RFC says "use ? there and & there", but I can't see why they didn't choose the same character.

maaartinus
  • 44,714
  • 32
  • 161
  • 320
  • Thanks, worked like a charm. :) Could you also please answer my last question that is this most secured way to do this? The application I am developing is going to be deployed on market so its necessary that it's secured. – rishiag Jun 08 '12 at 06:06
  • Concerning security, the answer surely depends on what kind of security you need. If you want to prevent unauthorized use of you app, you might be out of lock. For secure communication, `HTTPS` is usually the way to go. On the client side you only need to add an "s", on the server side you need a private key and a certificate signed by a CA. Or you might run your own, which is a bit more work. However... this is a different question, post it. – maaartinus Jun 08 '12 at 06:20
  • 4
    It's not a strange reason. The `?` is not part of the query string. It is just the separator character between the request URI and the request query string. The query string parameter pairs in turn needs the `&` as separator character. The query string parameter name and value pair in turn needs the `=` as separator character. Spaces in query strings should by the way be encoded as `+`. The `%20` is only applicable on the request URI part. You can use `URLEncoder#encode()` to encode query string components. See also http://stackoverflow.com/questions/2793150/ – BalusC Jun 08 '12 at 18:52
  • I see, but `something?a=1?b=2` would be easier to write and to parse; there's no logical reason for using `&` instead of `?` as the separator. AFAIK `+` is just a convenient shortcut for ` ` and `URLDecoder` accepts `%20` as well. – maaartinus Jun 08 '12 at 19:06
  • That format is used in LDAP in various ways, but it's pretty futile to start debating decisions that were taken in about 1992. @BalusC is correct about the encoding requirements. You can't rely on the bajviour of one specific API. Not everything is Java and not everything in Java is decoded by `URLDecoder.` – user207421 Mar 03 '16 at 00:29
  • @EJP All what RFC 2396 says about space is that *"%20" is the escaped encoding for the US-ASCII space character.* They don't say anything about prohibiting it somewhere, moreover I can't see there anything preventing me from escaping any character (except where its special meaning is wanted). I surely may be wrong... – maaartinus Mar 03 '16 at 01:26
4

I do not know much about Java but URL query arguments should be separated by "&", not "?"

https://www.rfc-editor.org/rfc/rfc3986 is good place for reference using "sub-delim" as keyword. http://en.wikipedia.org/wiki/Query_string is another good source.

Community
  • 1
  • 1
Tõnu Samuel
  • 2,877
  • 2
  • 20
  • 30
2

You can pass multiple parameters as "?param1=value1&param2=value2"

But it's not secure. It's vulnerable to Cross Site Scripting (XSS) Attack.

Your parameter can be simply replaced with a script.

Have a look at this article and article

You can make it secure by using API of StringEscapeUtils

static String   escapeHtml(String str) 
          Escapes the characters in a String using HTML entities.

Even using https url for security without above precautions is not a good practice.

Have a look at related SE question:

Is URLEncoder.encode(string, "UTF-8") a poor validation?

Community
  • 1
  • 1
Ravindra babu
  • 37,698
  • 11
  • 250
  • 211