HTTP allows multiple parameters with the same name, both in the GET and POST methods. The HTTP standards neither explain nor have rules set on how to interpret multiple input parameters with the same name—whether to accept the last occurrence of the variable or the first occurrence, or to use the variable as an array.

For example, the following POST request is per the standard, even when the item_id variable has num1 and num2 as values:

item_id=num1&second_parameter=3&item_id=num2  

Although it is acceptable per HTTP protocol standard, the way that different web servers and development frameworks handle multiple parameters varies. The unknown process of handling multiple parameters often leads to security issues. This unexpected behavior is known as HTTP parameter pollution. The following table shows HTTP duplicated parameter behavior in major web servers: