3

I'm adding generic extension to my Scala 2.11.6, Play 2.3.8 based project, based on Request.queryString

/**
 * The parsed query string.
 */
def queryString: Map[String, Seq[String]]

Lets say I have ?param=A&param=B. The order in which query returns A & B affects the result, of calculations.

Does play guarantee order of A & B?

In other words do I need to handle order of query parameters explicitly, or it's part of the system contract.

mavarazy
  • 7,562
  • 1
  • 34
  • 60
  • Even if play guarantees that, is it guaranteed that the order of query string parameters will be same in request url ? – Adi Jun 17 '15 at 15:46
  • Play obviously can't guarantee order of query parameters ?a=A&b=B&a=C & ?a=A&a=C&b=C will return same Map, and there is no way to tell, that b was before last a, or after both. For me this does not matter, only the order of A & C in a is significant. – mavarazy Jun 17 '15 at 16:07
  • `Map`s are unordered, are they not? – Michael Zajac Jun 17 '15 at 16:16
  • Depends on implementation. – mavarazy Jun 17 '15 at 17:11
  • I don't think even http standard has anything to say about the query string order as such browser server frameworks can order or reorder, it is up to implementation. https://tools.ietf.org/html/rfc3986#page-23 – Biswanath Jun 17 '15 at 17:15
  • That's true, there seems to be no standard on multiple parameters in the query, and relying on any kind of behaviour may be a security vulnerability. http://stackoverflow.com/questions/1746507/authoritative-position-of-duplicate-http-get-query-keys https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf – Kolmar Jun 17 '15 at 18:28

1 Answers1

3

Does play guarantee order of A & B?

I don't think there is an explicit guarantee regarding the order of the params in Play (in general).

In the version I'm using now (Play 2.3.8), Play seems to use Netty's QueryStringDecoder and it indeed keeps the order of the values.

So with something like /some/path?param=1&param=7&param=4, queryString() will return

"param" -> ["1", "7", "4"]

but no one can assure you this will not change in the future (either in Netty or if Play decides to use something else).

If you are really just targeting 2.3.8, then I think you can safely assume the order is kept. If you want to use other Play versions, then you may want to use explicitly the version of Netty QueryStringDecoder used by 2.3.8:

QueryStringDecoder qs = new QueryStringDecoder("/a?param=1&param=7&param=4");
Map<String, List<String>> queryString = qs.getParameters();
Salem
  • 12,808
  • 4
  • 34
  • 54