Form data can be submitted to servlets via GET or POST requests. Servlets can read this data through the HttpServletRequest object's getParameter and getParameterValues methods to retrieve individual values or arrays. It is important to filter special characters from form data to prevent cross-site scripting attacks when displaying values.
2. Agenda
• Creating and submitting form
• Reading individual request parameters
• Reading an entire set of parameters
• Reading array of value
3. The Role of Form data
• Example of Query String
- http://www.example.com/reg?user=John&origin=india
- Name / value pair
- User / john from the above url
- Name comes from HTML Author
- Values come from End user
• How does Servlets read the data
- Use request.getParameter()
- Use request.getParameterValues() for array types
- Use request.getParameterNames() for enumerated list of names
4. HTML Forms
<HTML>
<HEAD><TITLE>A Sample Form Using GET</TITLE></HEAD>
<BODY BGCOLOR="#FDF5E6">
<H2 ALIGN="CENTER">A Sample Form Using GET</H2>
<FORM ACTION="http://localhost:8088/SomeProgram">
<CENTER>
First name:
<INPUT TYPE="TEXT" NAME="firstName" VALUE="Joe"><BR>
Last name:
<INPUT TYPE="TEXT" NAME="lastName" VALUE="Hacker"><P>
<INPUT TYPE="SUBMIT"> <!-- Press this to submit form -->
</CENTER>
</FORM>
</BODY></HTML>
5. HTML
• HTML files do not go in WEB-INF/classes
- They go in directory that contains WEB-INF
- Tomcat install_dirwebappsROOTForm.html or
- install_dirwebappsROOTSomeDirForm.html
• URL
- http://localhost/SomeDir/Form.html
- http://localhost/Form.html or
• Custom Web applications
- Use a different dir with the same structure as the default
Web app
6. Reading form data in servlets
• request.getParameter("name“)
- Returns URL-decoded value of first occurrence of name in query string
- Works identically for GET and POST requests
- Returns null if no such parameter is in query data
• request.getParameterValues("name“)
- Returns an array of the URL-decoded values of all occurrences of name in
query string
- Returns a one-element array if param not repeated
- Returns null if no such parameter is in quer
• request.getParameterNames() or request.getParameterMap()
- Returns Enumeration or Map of request params
- Usually reserved for debugging
7. Reading Raw Data
• Raw data
- request.getReader
- request.getInputStream
• Data no longer available via getParameter after this
• Parsing uploaded files
- HTML has a way of submitting entire files
• <INPUT TYPE="FILE"…>
- Servlet/JSP APIs have no builtin way to parse files
- Popular third-party library available from the Apache/Jakarta
“Commons” library
8. Validation
• Missing
- Field missing in form
• getParameter returns null
- Field blank when form submitted
• getParameter returns an empty string (or possibly a string with
whitespace in it
- Must check for null before checking for empty string
String param = request.getParameter("someName");
if ((param == null) || (param.trim().equals(""))) {
doSomethingForMissingValues(...);
} else {
doSomethingWithParameter(param);
9. Reading an entire set of parameter
public class ShowParameters extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String docType ="<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 " +
"Transitional//EN">n";
String title = "Reading All Request Parameters";
out.println(docType +
"<HTML>n" +
"<HEAD><TITLE>"+title + "</TITLE></HEAD>n"+
"<BODY BGCOLOR="#FDF5E6">n" +
"<H1 ALIGN=CENTER>" + title + "</H1>n" +
12. Filtering special characters
• You cannot safely insert arbitrary strings into servlet output
- < and > can cause problems anywhere
- & and " can cause problems inside of HTML attributes
• You sometimes cannot manually translate
- The string is derived from a program excerpt or another source where
it is already in some standard format
- The string is derived from HTML form data
• Failing to filter special characters from form data makes you
vulnerable to cross-site -scripting attack
13. Summary
• Form submission is critical task
• Rich support for normal and raw types of data
• Can read single or array type
• Filtering of special character need to avoid cross site scripting