URL Encoding Query Parameters: A Practical Guide

URL query parameters carry data after the ? in a URL. Each parameter is a key=value pair, and multiple parameters are separated by &. The problem: if your values contain &, =, #, or spaces, the server misreads where one parameter ends and the next begins.

URL encoding solves this by converting reserved characters into percent-codes like %26 for & and %3D for =, so the value passes through the URL structure safely.

Which Characters Need to Be Encoded in Query Values

In query parameter values, these characters must always be encoded:

Character	Meaning in URL	Encoded As
&	Separates parameters	%26
=	Separates key from value	%3D
?	Starts the query string	%3F
#	Starts a fragment	%23
Space	Separates tokens	%20 or +
+	Shorthand for space (form encoding)	%2B
/	Separates path segments	%2F

Safe characters that don't need encoding: A–Z a–z 0–9 - _ . ~

Query Parameter Encoding Examples

Here are common scenarios where encoding is required:

Search query with spaces:

q=coffee shops
→ q=coffee%20shops

Value containing an ampersand:

company=Smith & Sons
→ company=Smith%20%26%20Sons

Value containing an equals sign:

filter=price>=50
→ filter=price%3E%3D50

Email address as a parameter:

[email protected]
→ email=user%40example.com

Full URL passed as a redirect parameter:

redirect=https://example.com/path?foo=bar
→ redirect=https%3A%2F%2Fexample.com%2Fpath%3Ffoo%3Dbar

Sell Custom Apparel — We Handle Printing & Free Shipping

Encoding Query Parameters Across Languages

Every major language has a built-in function for encoding query parameter values:

• JavaScript: encodeURIComponent(value)
• Python: urllib.parse.quote(value, safe='')
• Java: URLEncoder.encode(value, StandardCharsets.UTF_8)
• PHP: urlencode($value)
• C#: Uri.EscapeDataString(value)
• Ruby: URI.encode_www_form_component(value)
• Go: url.QueryEscape(value)

For one-off values or quick testing, use the Mongoose URL Encoder without writing any code.

Common Mistakes When Encoding Query Parameters

Encoding the whole URL: Never run an encoder on the full URL including the scheme and domain — you'll encode the slashes and colons that make the URL valid. Only encode the individual values.

Double encoding: If a value is already encoded and you encode it again, %20 becomes %2520 (the % itself gets encoded). Always start from the unencoded value.

Forgetting to encode the plus sign: If your value contains a literal +, you must encode it as %2B. Otherwise servers that use form-style decoding will read it as a space.

Not encoding at all: Building a query string with simple string concatenation using unencoded user input is a common bug that causes silent failures when values contain reserved characters.

Frequently Asked Questions

Do I need to encode the keys as well as the values in query parameters?

In theory yes, but in practice keys are almost always safe ASCII strings. If you're using dynamic or user-supplied keys, encode them too using the same method as values.

Should spaces be encoded as %20 or +?

Both are valid in query strings. %20 follows RFC 3986 (standard URI percent-encoding). + is a shorthand from HTML form encoding (application/x-www-form-urlencoded). Most servers accept both. Use %20 when in doubt — it's unambiguous.

Can I use a URL encoder to debug API errors?

Yes. Paste the query string or parameter value into a decoder to see the unencoded original. This often reveals accidental double-encoding, missing encoding, or character substitution problems.

Do I need to encode query parameters when using Postman or Bruno?

API clients like Postman encode parameter values automatically when you fill in the Params table. If you paste a pre-built URL into the address bar, Postman may not re-encode it. Verify with the preview URL before sending.