java parameters and attributes

[xmike1]

Can someone give me a quick description of the differences between a request attribute and a request parameter? I have tried to cycle through all the parameters in a request, using getParameterNames and getParameter,in the hopes that I could modify the data and set it back to the request with setAttribute. This doesn't seem to work.

[ray326]

A "parameter" is a form field name/value pair passed from the HTML side of the world. Its value is a String.

An "attribute" is a Java object name/value pair passed only through the internal JavaServer processes. (I.e. it can come from a JSP or servlet but not an HTML page.) Its value is an Object.

You can't alter the request parameters, just read them. If you could there would be a setParameter() method. Parameters and attributes do not share a name space so a parameter named "foo" and an attribute keyed "foo" are distinct.

[xmike1]

Thanks. That was very clear. So I am hosed taking this approach. I guess I would have to interogate these fields at the screen level on a submit. I could use JavaScript to go through each and change them before sending them on. More work but is sounds doable.

If there is a better approach please let me know (anyone).

[ray326]

If you know your users have Javascript enabled then you could certainly massage the parameters before submitting the form. A better way might be to let the servlet create an object using the parameter values then using that object as an attribute.

[slaughters]

I know this is a very old thread - but I was looking for something similar in order to create a generic routine to scan the values of incoming parameters and replace/encode characters normally seen as part of an SQL injection attack ( --, ', ") or a Cross site scripting attack ( <, >).

I ran across this code from the jGuru site that looks potentially useful:
http://jguru.com/faq/view.jsp?EID=104987
(Code copy and pasted below)

I plan (hopefully) to adapt the below technique to "clean" all incoming parameters values so I will not have to go though and edit 300+ exist JSP form pages individually, with all their separate parameter names, etc..

Code:

package com.ragingnet.util;

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;
import java.net.*;

/** Called by another servlet or jsp page to pass post parameters - both from the original request,
 *  and new ones added to it - on to another page, such as a CGI script.
 *  This is probably not of any use in a pure Servlet/JSP environment, but useful for passing
 *  requests along to existing CGI scripts, etc.
 *
 *  Useage: First call the following:
 *    setUrlForward(url)   [required]
 *    setPassExistingParams(boolean)   [optional - default is TRUE]
 *    setParam(paramName, paramValue)    [multiple times if desired]
 *    setHeader(headerName, headerValue)   [multiple times if desired]
 *
 *  Then call Go(request, response)
 *
 * @author Roger Hand
 * @date  April 2, 2001
 *
 */
public class PassPostRequestServlet extends HttpServlet {
  private String urlForward = null;
  private Vector vectParams = new Vector();
  private Vector vectHeaders = new Vector();

  /* by default, we pass existing params from the originating page,
  but this can be suppressed if desired. */
  private boolean passExistingParams = true;

  /**Initialize global variables*/
  private static final String CONTENT_TYPE = "text/html";
  private static final int ARRAY_POS_PARAMNAME = 0;
  private static final int ARRAY_POS_PARAMVALUE = 1;
  private static final int ARRAY_POS_HEADERNAME = 0;
  private static final int ARRAY_POS_HEADERVALUE = 1;
  private static final boolean debug = true;

  public void init(ServletConfig config) throws ServletException {
    super.init(config);
  }

  public void setParam(String paramName, String paramValue) {
    String[] arrayParamName_Value = {paramName, URLEncoder.encode(paramValue)};
    vectParams.add(arrayParamName_Value);
  }

  public void setParam(String paramName, int paramValue) {
    setParam(paramName, Integer.toString(paramValue));
  }

  public void setHeader(String headerName, String headerValue) {
    String[] arrayHeaderName_Value = {headerName, headerValue};
    vectHeaders.add(arrayHeaderName_Value);
  }

  public void Go(HttpServletRequest request, HttpServletResponse response)  throws ServletException, IOException {
    boolean debug = false;
    response.setContentType(CONTENT_TYPE);
    PrintWriter out = response.getWriter();

    try{

        /**
         * First we SEND the request to the web server
         */

        URL url = new URL(urlForward);
        URLConnection connection = url.openConnection();
        connection.setDoOutput(true);

        if (debug) System.out.println("Opened connection to " + urlForward);


        /* ADD our NEW HEADERS here */
        /* We don't pass on any existing headers
          It could be we may want to pick and choose a few to send on */
        for (int iHeader = 0;iHeader < vectHeaders.size(); iHeader++) {
          String[] arrayHeaderName_Value = (String[])vectHeaders.get(iHeader);
          connection.setRequestProperty(arrayHeaderName_Value[ARRAY_POS_HEADERNAME], arrayHeaderName_Value[ARRAY_POS_HEADERVALUE]);
          if (debug) System.out.println("Added header " + arrayHeaderName_Value[ARRAY_POS_HEADERNAME] +
            " with value " + arrayHeaderName_Value[ARRAY_POS_HEADERVALUE]);
        } //next header

        PrintStream outStream =
               new PrintStream(connection.getOutputStream());

        /* Pass on EXISTING PARAMS here (if desired)
          These are parameters set in the original form from the browser.
          It seems we should just be able to pass them on, but I haven't found a way,
          so we've gotta recreate them here.
         */
        String paramString = "";
        if (passExistingParams) {
          Enumeration enumPNames = request.getParameterNames();

          while(enumPNames.hasMoreElements()) {
            String paramName = (String)enumPNames.nextElement();

            String[] arrayParam = request.getParameterValues(paramName);

            if (arrayParam != null) {
              for(int iParam=0; iParam < arrayParam.length; iParam++) {
                paramString += paramName + "=" + arrayParam[iParam] + "&";
              }
            }
          }
        } //if (passExistingParams) {

        /* ADD our NEW PARAMS here */
        for (int iParam = 0;iParam < vectParams.size(); iParam++) {
          String[] arrayParamName_Value = (String[])vectParams.get(iParam);
          paramString += arrayParamName_Value[ARRAY_POS_PARAMNAME] + "=" + arrayParamName_Value[ARRAY_POS_PARAMVALUE] + "&";
        } //next parameter

        /* get rid of last '&' */
        if (paramString.endsWith("&")) {
          paramString = paramString.substring(0, paramString.length() - 1);
        }

        if (debug) System.out.println("paramString is " + paramString);
        //Sending parameter to URL/CGI
        outStream.println(paramString);

        outStream.flush();
        outStream.close();

        /**
         * Now we RECEIVE response from web server and pass it back to browser client
         */

        String inputLine;

   BufferedReader inStream =
      new BufferedReader(
      new InputStreamReader(connection.getInputStream()));

          /* this was in example, but is deprecated usage */
         //inStream = new DataInputStream(connection.getInputStream());
         while (null != (inputLine = inStream.readLine())) {
                out.println(inputLine);
         }
         inStream.close();
    } catch (MalformedURLException me) {
        System.err.println("MalformedURLException: " + me);
    } catch (IOException ioe) {
        System.err.println("IOException: " + ioe);
    }
    vectParams.clear();

  }

  /**Clean up resources*/
  public void destroy() {
  }
  public void setUrlForward(String newUrlForward) {
    urlForward = newUrlForward;
  }
  public void setPassExistingParams(boolean newPassExistingParams) {
    passExistingParams = newPassExistingParams;
  }
}