23

We are building an API in-house and often are passing a parameter with multiple values.

They use: mysite.com?id=1&id=2&id=3

Instead of: mysite.com?id=1,2,3

I favor the second approach but I was curious if it was actually incorrect to do the first?

Improve this question
5
  • it's actually correct. and in java, you just need to call request.getParameterValues("id") to get the array of string values. Commented Jul 23, 2012 at 22:32
  • 1
    Could you point to some reference that says it is correct? It's hard to take Java's interpretation of URLs as a standard. Commented Jul 24, 2012 at 5:00
  • yeah, it actually depends on your web environment so we really cannot take java's interpretation as standard. check this out for a similar discussion and alternatives stackoverflow.com/questions/6243051/… Commented Jul 24, 2012 at 11:44
  • To play safe, I simply implemented both within connection-string, to result in an array that contains all of the values. So your input of ?a=1&a=2,3,4&a=5 is parsed into a = [1 ,2, 3, 4, 5]. Commented Oct 18, 2020 at 17:17
  • Dupe of stackoverflow.com/questions/24059773/… (I think the linked question is asked/answered better) Commented Jul 6, 2022 at 16:40

5 Answers 5

Reset to default
12

I'm not an HTTP guru, but from what I understand there's not a definitive standard on the query part of the URL regarding multiple values, it's typically up to the CGI that handles the request to parse the query string.

RFC 1738 section 3.3 mentions a searchpart and that it should go after the ? but doesn't seem to elaborate on its format.

http://<host>:<port>/<path>?<searchpart>

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

CGI… blast from the past. 😁
6

I did not (bother to) check which RFC standard defines it. (Anyone who knows about this please leave a reference in the comment.) But in practice, the mysite.com?id=1&id=2&id=3 way is already how a browser would produce when a form contains duplicated fields, typically the checkboxes. See it in action in this w3schools example page. (UPDATE: Since 2020, that example uses variables with different names such as vehicle1=Bike&vehicle2=Car; but we can still manually change its source code to purposely use same name variable to obtain vehicle=Bike&vehicle=Car.) So there is a good chance that the whatever programming language you are using, already provides some helper functions to parse an input like that and probably returns a list.

You could, of course, go with your own approach such as mysite.com?id=1,2,3, which is not bad at all in this particular case. But you will need to implement your own logic to produce and to consume such format. Now you may or may not need to think about handling some corner cases by yourself, such as: what if the input is not well-formed, like mysite.com?id=1,2,? And do you need to invent yet another separator, if the comma sign itself can also be a valid input, like mysite.com?name=Doe,John|Doe,Jane? Would you reach to a point that you will use a json string as the value, like mysite.com?name=["John Doe", "Jane Doe"]? etc. etc.. Your mileage may vary.

Improve this answer

4 Comments

Is the w3schools link still a valid example of the first approach?
@vdwees Why not?
When I check the boxes and click submit, it says the input was recieved as vehicle1=Bike&vehicle2=Car&vehicle3=Boat. I think the question is asking about vehicle=Bike&vehicle=Car&vehicle=Boat?
Oh I see. They changed that example after I wrote my answer. That is unfortunate and I can not control that part. But you can go ahead to change their sample's online code snippet, to use SAME name for all three checkbox input fields, and then you will see the intended effect. That IS how the checkboxes supposed to work. W3Cschool messed up with their samples (presumably when they introduced labels into their sample - but that is a different topic anyway).
3

Worth adding that inconsistend handling of duplicate parameters in the URL on the server is may lead to vulnerabilities, specifically server-side HTTP parameter pollution, with a practical example - Client side Http Parameter Pollution - Yahoo! Classic Mail Video Poc.

Improve this answer

Comments

0

in your first approach you will get an array of querystring values but in second approach you will get a string of querystring values.

Improve this answer

1 Comment

This is misleading: first approach you will get an array of querystring values. It's entirely up to the system that is parsing the query string to decide how it gets interpreted. In PHP, for example, the last value would be assigned to $_GET['id']. You would have to use this format: mysite.com?id[]=1&id[]=2&id[]=3 to get an array.
0

I guess it depends on technology you use, how it becomes convenient. I am currently standing in front of the same question using currency=USD,CHF or currency=USD&currency=CHF

I am using Thymeleaf and using the second option makes it easy to work, I can then request something like: ${param.currency.contains(currency.value)}. When I try to use the first option it seems it takes the "array" like a string, so I need to split first and then do contain, what leads me to a more mess code.

Just my 50 cents :-)

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.