URL Encode and Decode
Summary
Definition: Percent-encoding replaces bytes with %XX to make URLs unambiguous.
Why it matters: Correct encoding prevents broken parsing and API errors.
Pitfall: Encoding the wrong URL component changes meaning.
- Percent-encoding
- Representing bytes as %XX hex values.
- Unreserved
- A-Z a-z 0-9 - . _ ~, never encoded.
- Reserved
- Characters with special meaning in URLs.
- Query string
- URL part after ? with key=value pairs.
- Form encoding
- application/x-www-form-urlencoded rules.
Encoding rules at a glance
Encoding rules differ by URL component such as path, query, or fragment.
Query strings and APIs
Encode each query key and value separately. Reserved characters like & and = must be encoded inside values.
Common mix-up: URL encoding is not encryption. It only preserves meaning during transport.
application/x-www-form-urlencoded
- Plus sign
- Represents space in form-encoded data.
The + to space rule applies only to form encoding, not to all URLs.
UTF-8 and non-ASCII characters
Characters are first encoded as UTF-8 bytes, then each byte is percent-encoded.
This matters for non-ASCII input like emojis or accented characters.
Quick example
Encode keys and values, then join with separators.
search=encrypt online&tag=dev+ops
search=encrypt%20online&tag=dev%2BopsIncorrect vs correct
Encoding the full URL changes its structure.
https://api.example.com/search?q=foo bar
https%3A%2F%2Fapi.example.com%2Fsearch%3Fq%3Dfoo%20barOnly encode the query value.
https://api.example.com/search?q=foo%20barPractical check
- Encode each key and value separately.
- Confirm unreserved characters stay readable.
- Decode exactly once after validation.
Never decode user input before validation; decoding can change separators and meaning.