Is a system depending on HTTP get/post parameter order reliable?

Question

I am trying to implement a system which depends on the HTTP get/post parameter order.

I want the system provide a remote function call mechanism, for example: Suppose there is a function foo(int, int), it can be called remotely by HTTP get http://ip:port/method=foo&paramType=int&param=1&paramType=int&param=2 or HTTP post with post data as method=foo&paramType=int&param=1&paramType=int&param=2, which acts as call foo(1,2) locally.

As you see, it depends on parameter order extremely. If parameter order goes wrong, foo(2,1) will be called unexpected.

But I am not sure is it reliable, since I think W3 did not make a spec for the parameter order(tell me if I'm wrong).

I am not sure the parameter order will be as expected at three points:

1. Will the client(such as a browser or jmeter) post the parameter in order as you see?
2. Will the order be preserved during transmission?
3. Will the web contain(such as tomcat) or the web framework(such as django) preserve the parameter order?

I did a few tests, found chrome, firefox and jmeter will send get/post parameter as expected and tomcat preserved the parameter order, but it's a hard work to find negetive cases and I am not sure there is no such cases. So I can't be sure is the system I am trying to implement is reliable.

Does anyone have any experiences for such problem? All suggestions are welcome.

Answer 1

You cannot enforce parameter order in either a URL query string or application/x-www-form-urlencoded post. Although W3C defines HTML to transmit form values in the order they appear in the HTML, server-side scripts are free to access parameters by name in any order, and having multiple parameters with the same name is a recipe for disaster. You need to rename your parameters to make them unique and order-independant, eg:

method=foo&param1Type=int&param1=1&param2Type=int&param2=2

This way, foo() can read its 2 paramX parameters regardless of their ordering. For instance, this would also be perfectly valid and still be functional:

param2=2&param1=1&param1Type=int&param2Type=int&method=foo

Personally, I would suggest you eliminate the paramType parameters:

method=foo&param1=1&param2=2

Your API spec dictates the data types of the parameters. If a client sends a non-integer value to foo(), return an HTTP error, like 400 Bad Request. Always validate input before using it.