Fetching the names of all the parameters passed to your script:
@names = $query->multi_param
@names = $query->param
If the scriptwas invoked with aparameter list (e.g. “name1=value1&name2=value2&name3=value3″), the param() / multi_param() methods will return theparameter names as a list. If the scriptwas invoked as an
script and contains a string without ampersands (e.g. “value1+value2+value3″) , there will be a single parameter named “keywords” containing the “+”-delimited keywords.
NOTE: As of version 1.5, the array of parameter names returned will be in the same order as they were submitted by the browser. Usually this order is the same as the order in which the parameters are defined in the form (however, this isn’t part of the spec, and so isn’t guaranteed).
Fetching the value or values of a single named parameter:
@values = $query->multi_param('foo');
$value = $query->param('foo');
Pass the param() / multi_param() method a single argument to fetch the value of the named parameter. If the parameter is multivalued (e.g. from multiple selections in a scrolling list), you can ask to receive an array. Otherwise the method will return a single value.
Warning – calling param() in list context can lead to vulnerabilities if you do not sanitise user input as it is possible to inject other param keys and values into your code. This is why the multi_param() method exists, to make it clear that a list is being returned, note that param() can stil be called in list context and will return a list for back compatibility.
The following code is an example of a vulnerability as the call to param will be evaluated in list context and thus possibly inject extra keys and values into the hash:
my %user_info = (
id => 1,
name => $query->param('name'),
The fix for the above is to force scalar context on the call to ->param by prefixing it with “scalar”
name => scalar $query->param('name')
If you call param() in list context with an argument a warning will be raised by CGI.pm, you can disable this warning by setting $CGI::LIST_CONTEXT_WARN to 0 or by using the multi_param() method instead
If a value is not given in the query string, as in the queries “name1=&name2=”, it will be returned as an empty string.
If the parameter does not exist at all, then param() will return undef in a scalar context, and the empty list in a list context.