Binding requests

Use params.Bind to bind an incoming http.Request into a struct. Fields are annotated with tags such as json, form, query, or path.

handler_note.go


type CreateNoteRequest struct {
    Title   string `json:"title"`
    Content string `json:"content"`
}
 
func (h *NoteHandler) CreateNote() http.HandlerFunc {
    return httpx.Wrap(func(r *http.Request) (httpx.Response, error) {
        var req CreateNoteRequest
        if err := params.Bind(&req, r); err != nil {
            return httpx.JSON.BadRequest("invalid request body"), err
        }
        // ...
    })
}

The binder supports many sources: body (JSON or XML), form values, query parameters, headers, cookies, context values and even uploaded files. The order of precedence follows the comments in params.go.

Tag reference

Body: `json` and `xml`

Use these tags on struct fields to bind JSON or XML payloads.

Form values: `form`

The form tag binds data sent with application/x-www-form-urlencoded or multipart/form-data.


type UploadRequest struct {
    Name string `form:"name"`
    File *multipart.FileHeader `file:"upload"`
}

File uploads are mapped with the file or files tags on *multipart.FileHeader fields.

Only available for the root level of the struct.

Query parameters: `query`

Bind values from the URL query string.

Only available for the root level of the struct.

Path parameters: `path`

Extract variables from the route path.

Only available for the root level of the struct.

Headers: `headers`

Assign values from request headers.

Only available for the root level of the struct.

Cookies: `cookie`


type MyRequest struct {
    SessionID string `cookie:"sid"`
}

params.Bind will look for a cookie named sid and fill the SessionID field if present.

Only available for the root level of the struct.

Context: `ctx`

Read values from the request context. Only available for the root level of the struct.

You MUST set tag json json:”-” for POST request otherwise an attacker can try to set structs or objects in the request body and this will be bind to the struct.

For example, if you have a struct like this:


type MeRequest struct {
	User *types.User `ctx:"goframe.user"`
}

The attacker may send a body with a User field and a { ID: "123" } value, which will be bound to the User field.

If the ctx exists it will erase the JSON decoded value, but it is better to be safe than sorry.

Defaults and helpers

Use the default tag to set a value when nothing was bound. Slices may use exploder to split a single string into multiple values.

Last updated on August 21, 2025

URL Helper Validation