I'm using a 3rd party component that generates URLs with query strings.
These URLs are of the form:
It's interesting how HTTP as touted as the "everyman protocol" with
claims that anyone can write a client or server, yet the RFC is so
complex that supposedly professional developers can't get simple stuff
like this right.
I've checked both RFC 1738 and RFC 3986, which define URL formats, and
it appears to me that the first parameter in a query string may indeed
have "&" in front of the name. The 3rd party developer develops against
Apache and has never had this problem.
Yep, technically you can do this, but what does it mean? The standard
also says this should be a sequence of & and = characters that makes up
form values. So what does the stray & mean? How would you parse it?
This is generally translated into a Hash so is it dropped or is
something special done?
The issue you're running into isn't an HTTP level problem but more of
how an application should parse the parameters of a query form. When
they do this, it's for a form from a browser. Without a good reason for
doing this it's hard to justify suddenly allowing it. In fact I'd put
something like this in the realm of sneaky potentially dangerous stuff
since--if you decided to remove them when encountered--you could get
/stuff/path/file?&&&&&&&&&&&&&&&&&&& &&& && &&&& &&&&&¶m1=xyz
Just waiting to be abused there.
Instead, I'd tell the guy that while it's not explicitly forbidden in
the HTTP RFC it is not standard practice, does not follow how any
browser submits forms, and isn't allowed in many CGI processing
Also, you should probably call him out on it since what he's doing is
looping over the hash of params and he's too lazy to do the join right
so he just tacks a "&" in front. I'm betting there's other parts of the
code that are very questionable. He's basically doing this:
string query = ""
foreach key in params
query += "&" + key + "=" + params[key]
He'll most likely fight you on it rather than change it since he's
probably got code like this all over and he thought it was an ultra
clever solution. He's also most likely using a C type language with
poor strings that don't have a "join". If he's using ruby then
definitely kick him to the curb since he should know better.
It's classic Potpourri Turd Syndrome (his turd don't stink, no everyone
else's is crap).