You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Otmar Manuela <ot...@caribmedia.com> on 2010/06/08 20:06:15 UTC
What is the difference between ${param.P} and <%= request.getParameter("P")
%>?
Hi,
I have a contact page, which contains a struts form. However, on that
page, when trying to read the URL parameters, I get a zero instead of
the parameter value, unless I use <%= request.getParameter() %>.
Example:
URL loading the contact form page:
http://www.somedomain.com/contact.do?itemCode=ABC
Contact Form Page:
......
<p>Please send me info regarding ${param.itemCode}</p>
<html:form action="contactForm">
....
....
<html:submit>Submit</html:submit>
</html:form>
.....
The paragraph in the Contact Form page above shows "Please send me info
regarding 0". If I change ${param.itemCode} with <%=
request.getParameter("itemCode") %>, I get "Please send me info
regarding ABC", which is what I want to show.
This is the first time I encountered this issue. Normally both would
return the same thing.
Any idea what is happening? I'm trying to avoid the "<%= %>" syntax
as much as possible.
Thanks,
Otmar
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: What is the difference between ${param.P} and <%=
request.getParameter("P") %>?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2010/6/12 Otmar Manuela <ot...@caribmedia.com>:
>
> So the problem would not happen with ${param.P}, but only with
> ${param.my-code}. I guess with parameters with dashes in it, it treats it
> as a calculation and therefore returns a 0.
>
Yes, it does. BTW, you can use ${param['my-code']}
> Regarding the javascript attack in the code sample, you are probably right.
> I guess a <c:out> escaping the XML characters will probably help a lot
> already, but it does require more thought.
>
or use ${fn:escapeXml( ... )}
The URI for the fn prefix is
http://java.sun.com/jsp/jstl/functions
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: What is the difference between ${param.P} and <%= request.getParameter("P")
%>?
Posted by Otmar Manuela <ot...@caribmedia.com>.
Thanks for the replies. I figured out what was causing the problem. I
was using parameters with dashes in it and that was causing this
problem. Since I only tested with different parameters with dashes in
them, I assume it was happening with all parameters. My bad!
So the problem would not happen with ${param.P}, but only with
${param.my-code}. I guess with parameters with dashes in it, it treats
it as a calculation and therefore returns a 0.
Regarding the javascript attack in the code sample, you are probably
right. I guess a <c:out> escaping the XML characters will probably help
a lot already, but it does require more thought.
Otmar
On 6/9/2010 4:09 AM, Pid wrote:
> On 08/06/2010 19:06, Otmar Manuela wrote:
>
>> Hi,
>>
>> I have a contact page, which contains a struts form. However, on that
>> page, when trying to read the URL parameters, I get a zero instead of
>> the parameter value, unless I use<%= request.getParameter() %>.
>>
>> Example:
>>
>> URL loading the contact form page:
>> http://www.somedomain.com/contact.do?itemCode=ABC
>>
>> Contact Form Page:
>> ......
>> <p>Please send me info regarding ${param.itemCode}</p>
>> <html:form action="contactForm">
>> ....
>> ....
>> <html:submit>Submit</html:submit>
>> </html:form>
>> .....
>>
>>
>> The paragraph in the Contact Form page above shows "Please send me info
>> regarding 0". If I change ${param.itemCode} with<%=
>> request.getParameter("itemCode") %>, I get "Please send me info
>> regarding ABC", which is what I want to show.
>> This is the first time I encountered this issue. Normally both would
>> return the same thing.
>>
>> Any idea what is happening? I'm trying to avoid the "<%= %>" syntax
>> as much as possible.
>>
> Hard to know which JSP version you're using without knowing which Tomcat
> version, and which version number you have in your web.xml.
>
> It's usually a good idea to tell us everything about your environment,
> including exact Tomcat, OS, JVM and any relevant library versions.
>
> If you want to use EL scripting then you may also need to check it's
> enabled by default (jsp-config section of web.xml if memory servers)
>
>
> p
>
>
> P.S. Also, the above code is probably horribly exposed to javascript
> attacks, you should not display raw parameter information anywhere in
> your HTML
>
>
>
>
>
>
>> Thanks,
>>
>> Otmar
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: What is the difference between ${param.P} and <%= request.getParameter("P") %>?
Posted by yu...@live.co.za.
--------------------------------------------------
From: "Pid" <pi...@pidster.com>
Sent: Wednesday, June 09, 2010 1:09 AM
To: "Tomcat Users List" <us...@tomcat.apache.org>
Subject: Re: What is the difference between ${param.P} and <%=
request.getParameter("P") %>?
other than the one being EL and easier/quicker to code, not much I think.
you are better off using${param.["P"] though as the [] allows you to break
away from identifer naming conventions so the identifier can be a numeric as
an example. the expression becomes the argument to the printnl in the
converted servlet for the JSP.
IOW
<%= request.getParameter("P") % will become out.println (
request.getParameter("P") in translated servlet.
just had a look in HF servlets and JSP and the only thing could find was
what happens behind the scenes
HF lists the use of EL as being there because the guys over using Adobe are
more familiar with EL than code.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: What is the difference between ${param.P} and <%= request.getParameter("P")
%>?
Posted by Pid <pi...@pidster.com>.
On 08/06/2010 19:06, Otmar Manuela wrote:
> Hi,
>
> I have a contact page, which contains a struts form. However, on that
> page, when trying to read the URL parameters, I get a zero instead of
> the parameter value, unless I use <%= request.getParameter() %>.
>
> Example:
>
> URL loading the contact form page:
> http://www.somedomain.com/contact.do?itemCode=ABC
>
> Contact Form Page:
> ......
> <p>Please send me info regarding ${param.itemCode}</p>
> <html:form action="contactForm">
> ....
> ....
> <html:submit>Submit</html:submit>
> </html:form>
> .....
>
>
> The paragraph in the Contact Form page above shows "Please send me info
> regarding 0". If I change ${param.itemCode} with <%=
> request.getParameter("itemCode") %>, I get "Please send me info
> regarding ABC", which is what I want to show.
> This is the first time I encountered this issue. Normally both would
> return the same thing.
>
> Any idea what is happening? I'm trying to avoid the "<%= %>" syntax
> as much as possible.
Hard to know which JSP version you're using without knowing which Tomcat
version, and which version number you have in your web.xml.
It's usually a good idea to tell us everything about your environment,
including exact Tomcat, OS, JVM and any relevant library versions.
If you want to use EL scripting then you may also need to check it's
enabled by default (jsp-config section of web.xml if memory servers)
p
P.S. Also, the above code is probably horribly exposed to javascript
attacks, you should not display raw parameter information anywhere in
your HTML
> Thanks,
>
> Otmar
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: What is the difference between ${param.P} and <%= request.getParameter("P")
%>?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Otmar,
On 6/8/2010 2:06 PM, Otmar Manuela wrote:
> URL loading the contact form page:
> http://www.somedomain.com/contact.do?itemCode=ABC
>
> Contact Form Page:
> ......
> <p>Please send me info regarding ${param.itemCode}</p>
You are missing some very important information: what is "param"?
> I'm trying to avoid the "<%= %>" syntax
> as much as possible.
Good plan. Shouldn't you be using <c:out> instead of just ${param.itemCode}?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwO5CEACgkQ9CaO5/Lv0PB8awCghTWt1fUouJ8grTPnhHulx2Lm
tzIAniy3IyR+c6KE6fXkH4jm0qteHuVP
=V4CE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org