|
|
 |
urlencode (PHP 3, PHP 4, PHP 5) urlencode -- URL-encodes string Descriptionstring urlencode ( string str )
Returns a string in which all non-alphanumeric characters except
-_. have been replaced with a percent
(%) sign followed by two hex digits and spaces
encoded as plus (+) signs. It is encoded the
same way that the posted data from a WWW form is encoded, that is
the same way as in
application/x-www-form-urlencoded media type.
This differs from the RFC1738 encoding (see
rawurlencode()) in that for historical
reasons, spaces are encoded as plus (+) signs. This function is
convenient when encoding a string to be used in a query part of
a URL, as a convenient way to pass variables to the next page:
Example 1. urlencode() example |
<?php
echo '<a href="mycgi?foo=', urlencode($userinput), '">';
?>
|
|
Note: Be careful about variables that may match HTML entities.
Things like &, © and £ are parsed by the
browser and the actual entity is used instead of the desired
variable name. This is an obvious hassle that the W3C has been
telling people about for years. The reference is here:
http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2. PHP supports
changing the argument separator to the W3C-suggested semi-colon
through the arg_separator .ini directive. Unfortunately most user
agents do not send form data in this semi-colon separated format.
A more portable way around this is to use & instead of
& as the separator. You don't need to change PHP's
arg_separator for this. Leave it as &, but simply encode
your URLs using htmlentities() or
htmlspecialchars().
Example 2. urlencode() and htmlentities() example |
<?php
$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
?>
|
|
See also urldecode(),
htmlentities(),
rawurldecode() and
rawurlencode().
User Contributed Notes
urlencode
edwardzyang at thewritingpot dot com
15-Apr-2005 03:48
I was testing my input sanitation with some strange character entities. Ones like î and Ç were passed correctly and were in their raw form when I passed them through without any filtering.
However, some weird things happen when dealing with characters like (these are HTML entities): ‼ ▐ ┐and Θ have weird things going on.
If you try to pass one in Internet Explorer, IE will *disable* the submit button. Firefox, however, does something weirder: it will convert it to it's HTML entity. It will display properly, but only when you don't convert entities.
The point? Be careful with decorative characters.
PS: If you try copy/pasting one of these characters to a TXT file, it will translate to a ?.
Timwi
17-Feb-2005 05:49
The information on this page is misleading in that you might think the ampersand (&) will only need to be escaped as & when there is ambiguity with an existing character entity. This is false; the W3C page linked to from here clarifies that the ampersands must ALWAYS be escaped.
The following:
<a href='/script.php?variable1=value1&variable2=value2'>Link</a>
is INVALID HTML. It needs to be written as:
<a href='/script.php?variable1=value1&variable2=value2'>Link</a>
in order for the link to go to:
/script.php?variable1=value1&variable2=value2
I applaud the W3C's recommendation to use semicolons (';') instead of the ampersands, but it doesn't really change the fact that you still need to HTML-escape the value of all your HTML tag attributes. The following:
<span title='Rose & Mary'>Some text</span>
is also INVALID HTML. It needs to be escaped as:
<span title='Rose & Mary'>Some text</span>
george at ishop dot com
04-Nov-2004 03:35
---[ Editor's Note ]---
You can also use rawurlencode() here, and skip the functions provided in this note.
---[ /Editor's Nore]---
For handling slashes in redirections, (see comment from cameron at enprises dot com), try this :
function myurlencode ( $TheVal )
{
return urlencode (str_replace("/","%2f",$TheVal));
}
function myurldecode ( $TheVal )
{
return str_replace("%2f","/",urldecode ($TheVal));
}
This is effectively a double urlencode for slashes and single urlencode for everything else. So, it is more "standardised" than his suggestion of using a + sign, and more readable (and search engine indexable) than a full double encode/decode.
neugey at cox dot net
17-Sep-2004 03:51
Be careful when encoding strings that came from simplexml in PHP 5. If you try to urlencode a simplexml object, the script tanks.
I got around the problem by using a cast.
$newValue = urlencode( (string) $oldValue );
monty3 at hotmail dot com
09-Sep-2004 03:00
If you want to pass a url with parameters as a value IN a url AND through a javascript function, such as...
<a href="javascript:openWin('page.php?url=index.php?id=4&pg=2');">
...pass the url value through the PHP urlencode() function twice, like this...
<?php
$url = "index.php?id=4&pg=2";
$url = urlencode(urlencode($url));
echo "<a href=\"javascript:openWin('page.php?url=$url');\">";
?>
On the page being opened by the javascript function (page.php), you only need to urldecode() once, because when javascript 'touches' the url that passes through it, it decodes the url once itself. So, just decode it once more in your PHP script to fully undo the double-encoding...
<?php
$url = urldecode($_GET['url']);
?>
If you don't do this, you'll find that the result url value in the target script is missing all the var=values following the ? question mark...
index.php?id=4
issue9mm at leafapplication dot com
07-Oct-2002 08:53
Just a simple comment, really, but if you need to encode apostrophes, you should be using rawurlencode as opposed to just urlencode.
Naturally, I figured that out the hard way.
| |
urldecode