This function is convenient when encoding a string to be used in a query part of a URL, as a convenient way to pass variables to the next page.
Returns a string in which all non-alphanumeric characters except
-_. have been replaced with a percent
%) sign followed by two hex digits and spaces encoded
as plus (
+) signs. It is encoded the same way that the
posted data from a WWW form is encoded, that is the same way as in
application/x-www-form-urlencoded media type. This
differs from the » RFC 1738 encoding (see
rawurlencode()) in that for historical reasons, spaces
are encoded as plus (+) signs.
echo '<a href="mycgi?foo=', urlencode($userinput), '">';
$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
Be careful about variables that may match HTML entities. Things like &, © and £ are parsed by the browser and the actual entity is used instead of the desired variable name. This is an obvious hassle that the W3C has been telling people about for years. The reference is here: » http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2.
PHP supports changing the argument separator to the W3C-suggested semi-colon through the arg_separator .ini directive. Unfortunately most user agents do not send form data in this semi-colon separated format. A more portable way around this is to use & instead of & as the separator. You don't need to change PHP's arg_separator for this. Leave it as &, but simply encode your URLs using htmlentities() or htmlspecialchars().