20

We are building an API in-house and often are passing a parameter with multiple values.

They use: mysite.com?id=1&id=2&id=3

Instead of: mysite.com?id=1,2,3

I favor the second approach but I was curious if it was actually incorrect to do the first?

Justin
  • 26,443
  • 16
  • 111
  • 128
  • it's actually correct. and in java, you just need to call request.getParameterValues("id") to get the array of string values. – jay c. Jul 23 '12 at 22:32
  • 1
    Could you point to some reference that says it is correct? It's hard to take Java's interpretation of URLs as a standard. – Justin Jul 24 '12 at 05:00
  • yeah, it actually depends on your web environment so we really cannot take java's interpretation as standard. check this out for a similar discussion and alternatives http://stackoverflow.com/questions/6243051/how-to-pass-an-array-within-a-query-string – jay c. Jul 24 '12 at 11:44
  • To play safe, I simply implemented both within [connection-string](https://github.com/vitaly-t/connection-string), to result in an array that contains all of the values. So your input of `?a=1&a=2,3,4&a=5` is parsed into `a = [1 ,2, 3, 4, 5]`. – vitaly-t Oct 18 '20 at 17:17
  • Dupe of https://stackoverflow.com/questions/24059773/correct-way-to-pass-multiple-values-for-same-parameter-name-in-get-request (I think the linked question is asked/answered better) – Lee Jul 06 '22 at 16:40

5 Answers5

11

I'm not an HTTP guru, but from what I understand there's not a definitive standard on the query part of the URL regarding multiple values, it's typically up to the CGI that handles the request to parse the query string.

RFC 1738 section 3.3 mentions a searchpart and that it should go after the ? but doesn't seem to elaborate on its format.

http://<host>:<port>/<path>?<searchpart>

Nathan
  • 1,080
  • 7
  • 16
5

I did not (bother to) check which RFC standard defines it. (Anyone who knows about this please leave a reference in the comment.) But in practice, the mysite.com?id=1&id=2&id=3 way is already how a browser would produce when a form contains duplicated fields, typically the checkboxes. See it in action in this w3schools example page. So there is a good chance that the whatever programming language you are using, already provides some helper functions to parse an input like that and probably returns a list.

You could, of course, go with your own approach such as mysite.com?id=1,2,3, which is not bad at all in this particular case. But you will need to implement your own logic to produce and to consume such format. Now you may or may not need to think about handling some corner cases by yourself, such as: what if the input is not well-formed, like mysite.com?id=1,2,? And do you need to invent yet another separator, if the comma sign itself can also be a valid input, like mysite.com?name=Doe,John|Doe,Jane? Would you reach to a point that you will use a json string as the value, like mysite.com?name=["John Doe", "Jane Doe"]? etc. etc.. Your mileage may vary.

RayLuo
  • 17,257
  • 6
  • 88
  • 73
  • Is the w3schools link still a valid example of the first approach? – vdwees Mar 23 '20 at 09:40
  • @vdwees Why not? – RayLuo Mar 25 '20 at 03:22
  • When I check the boxes and click submit, it says the input was recieved as `vehicle1=Bike&vehicle2=Car&vehicle3=Boat`. I think the question is asking about `vehicle=Bike&vehicle=Car&vehicle=Boat`? – vdwees Mar 25 '20 at 12:20
  • Oh I see. They changed that example after I wrote my answer. That is unfortunate and I can not control that part. But you can go ahead to change their sample's online code snippet, to use SAME name for all three checkbox input fields, and then you will see the intended effect. That IS how the checkboxes supposed to work. W3Cschool messed up with their samples (presumably when they introduced labels into their sample - but that is a different topic anyway). – RayLuo Mar 26 '20 at 20:59
3

Worth adding that inconsistend handling of duplicate parameters in the URL on the server is may lead to vulnerabilities, specifically server-side HTTP parameter pollution, with a practical example - Client side Http Parameter Pollution - Yahoo! Classic Mail Video Poc.

kravietz
  • 10,667
  • 2
  • 35
  • 27
0

in your first approach you will get an array of querystring values but in second approach you will get a string of querystring values.

Rahul
  • 928
  • 5
  • 8
  • 1
    This is misleading: _first approach you will get an array of querystring values_. It's entirely up to the system that is parsing the query string to decide how it gets interpreted. In PHP, for example, the last value would be assigned to `$_GET['id']`. You would have to use this format: `mysite.com?id[]=1&id[]=2&id[]=3` to get an array. – gligoran Mar 05 '16 at 18:21
0

I guess it depends on technology you use, how it becomes convenient. I am currently standing in front of the same question using currency=USD,CHF or currency=USD&currency=CHF

I am using Thymeleaf and using the second option makes it easy to work, I can then request something like: ${param.currency.contains(currency.value)}. When I try to use the first option it seems it takes the "array" like a string, so I need to split first and then do contain, what leads me to a more mess code.

Just my 50 cents :-)

Michael Hegner
  • 5,555
  • 9
  • 38
  • 64