Advance java session 3

Advance java session 3

• 1.
  Handling Form data
• 2.
  Agenda • Creating andsubmitting form • Reading individual request parameters • Reading an entire set of parameters • Reading array of value
• 3.
  The Role ofForm data • Example of Query String - http://www.example.com/reg?user=John&origin=india - Name / value pair - User / john from the above url - Name comes from HTML Author - Values come from End user • How does Servlets read the data - Use request.getParameter() - Use request.getParameterValues() for array types - Use request.getParameterNames() for enumerated list of names
• 4.
  HTML Forms <HTML> <HEAD><TITLE>A SampleForm Using GET</TITLE></HEAD> <BODY BGCOLOR="#FDF5E6"> <H2 ALIGN="CENTER">A Sample Form Using GET</H2> <FORM ACTION="http://localhost:8088/SomeProgram"> <CENTER> First name: <INPUT TYPE="TEXT" NAME="firstName" VALUE="Joe"><BR> Last name: <INPUT TYPE="TEXT" NAME="lastName" VALUE="Hacker"><P> <INPUT TYPE="SUBMIT"> <!-- Press this to submit form --> </CENTER> </FORM> </BODY></HTML>
• 5.
  HTML • HTML filesdo not go in WEB-INF/classes - They go in directory that contains WEB-INF - Tomcat install_dirwebappsROOTForm.html or - install_dirwebappsROOTSomeDirForm.html • URL - http://localhost/SomeDir/Form.html - http://localhost/Form.html or • Custom Web applications - Use a different dir with the same structure as the default Web app
• 6.
  Reading form datain servlets • request.getParameter("name“) - Returns URL-decoded value of first occurrence of name in query string - Works identically for GET and POST requests - Returns null if no such parameter is in query data • request.getParameterValues("name“) - Returns an array of the URL-decoded values of all occurrences of name in query string - Returns a one-element array if param not repeated - Returns null if no such parameter is in quer • request.getParameterNames() or request.getParameterMap() - Returns Enumeration or Map of request params - Usually reserved for debugging
• 7.
  Reading Raw Data •Raw data - request.getReader - request.getInputStream • Data no longer available via getParameter after this • Parsing uploaded files - HTML has a way of submitting entire files • <INPUT TYPE="FILE"…> - Servlet/JSP APIs have no builtin way to parse files - Popular third-party library available from the Apache/Jakarta “Commons” library
• 8.
  Validation • Missing - Fieldmissing in form • getParameter returns null - Field blank when form submitted • getParameter returns an empty string (or possibly a string with whitespace in it - Must check for null before checking for empty string String param = request.getParameter("someName"); if ((param == null) || (param.trim().equals(""))) { doSomethingForMissingValues(...); } else { doSomethingWithParameter(param);
• 9.
  Reading an entireset of parameter public class ShowParameters extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String docType ="<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 " + "Transitional//EN">n"; String title = "Reading All Request Parameters"; out.println(docType + "<HTML>n" + "<HEAD><TITLE>"+title + "</TITLE></HEAD>n"+ "<BODY BGCOLOR="#FDF5E6">n" + "<H1 ALIGN=CENTER>" + title + "</H1>n" +
• 10.
  Reading an entireset of parameter while(paramNames.hasMoreElements()) { String paramName = (String)paramNames.nextElement(); out.print("<TR><TD>" + paramName + "n<TD>"); String[] paramValues = request.getParameterValues(paramName); if (paramValues.length == 1) { String paramValue = paramValues[0]; if (paramValue.length() == 0) out.println("<I>No Value</I>"); else out.println(paramValue); } else { out.println("<UL>"); for(int i=0; i<paramValues.length; i++) { out.println("<LI>" + paramValues[i]); } out.println("</UL>");
• 11.
  Reading an arrayof parameter <input type="text" name="car“ value=“BMW” /> <input type="text" name="car" value=“FERARI”/> <input type="text" name="car" value=“VOLVO”/> String[] cars = request.getParameterValues();
• 12.
  Filtering special characters •You cannot safely insert arbitrary strings into servlet output - < and > can cause problems anywhere - & and " can cause problems inside of HTML attributes • You sometimes cannot manually translate - The string is derived from a program excerpt or another source where it is already in some standard format - The string is derived from HTML form data • Failing to filter special characters from form data makes you vulnerable to cross-site -scripting attack
• 13.
  Summary • Form submissionis critical task • Rich support for normal and raw types of data • Can read single or array type • Filtering of special character need to avoid cross site scripting