HTTP allows multiple parameters with the same name, both in the GET and POST methods. The HTTP standards neither explain nor have rules set on how to interpret multiple input parameters with the same name—whether to accept the last occurrence of the variable or the first, or use it as an array.

In the following example, the POST request is as per the standard. The only difference is that the item_id variable has both num1 and num2 as values:

item_id=num1&item_id=num2

Although it is acceptable as per HTTP protocol standard, the way the different web servers and development frameworks handle multiple parameters vary. The unknown process of handling multiple parameters often lead to security issues. This unexpected behavior ...