AI URL Encoder/Decoder — Handle Special Characters and Query Strings Safely

Published February 23, 2026 · 8 min read · Developer Tools

You are building an API call and one of the query parameters contains an ampersand. You paste the URL into your browser and half the parameters vanish. The & in your search query got interpreted as a parameter separator, and now your API is returning nonsense. A quick trip through a URL encoder would have turned that & into %26 and saved you twenty minutes of debugging.

URL encoding (also called percent-encoding) is one of those fundamental web concepts that every developer uses but few fully understand. It is the reason spaces become %20 or +, why non-ASCII characters get converted to byte sequences, and why some characters are safe in URLs while others break everything. Let us demystify it.

How URL Encoding Works

URLs can only contain a limited set of ASCII characters. RFC 3986 defines which characters are allowed and which must be encoded. The encoding process is simple: take the character's UTF-8 byte representation and prefix each byte with a percent sign.

Safe Characters (No Encoding Needed)

These characters can appear in URLs without encoding:

Unreserved: A-Z a-z 0-9 - _ . ~
Reserved (when used for their purpose): : / ? # [ ] @ ! $ & ' ( ) * + , ; =

Reserved characters only need encoding when they appear in a context where they would be misinterpreted. An & in a query parameter value must be encoded as %26, but the & separating parameters stays as-is.

Characters That Must Be Encoded

Everything outside the safe set gets percent-encoded:

Spaces → %20 (or + in form data)
Non-ASCII characters → UTF-8 bytes, each prefixed with %. For example, é becomes %C3%A9
Special characters in values → # becomes %23, = becomes %3D, & becomes %26

Need to encode or decode a URL right now?

Open AI URL Encoder/Decoder →

encodeURI vs encodeURIComponent: The Critical Difference

JavaScript gives you two encoding functions, and using the wrong one is a classic bug source:

encodeURI() encodes a full URL. It leaves reserved characters like :, /, ?, &, and = intact because they have structural meaning in a URL. Use it when you have a complete URL with special characters in the path.

encodeURIComponent() encodes a single URL component (like a query parameter value). It encodes everything except A-Z a-z 0-9 - _ . ~ ! ' ( ) *. This is what you want 90% of the time when building query strings.

// Wrong: encodeURI leaves & intact
encodeURI("search=rock&roll")
// "search=rock&roll" — still broken

// Right: encodeURIComponent encodes the value
"search=" + encodeURIComponent("rock&roll")
// "search=rock%26roll" — correct

💡 Rule of Thumb: Use encodeURIComponent() for individual parameter values. Use encodeURI() only when encoding a full URL where you want to preserve the structure. When in doubt, use encodeURIComponent().

URL Encoding in Every Major Language

Python

from urllib.parse import quote, unquote, urlencode

# Encode a single value
quote("hello world & more")  # "hello%20world%20%26%20more"

# Build a query string
params = {"q": "rock&roll", "page": "1"}
urlencode(params)  # "q=rock%26roll&page=1"

# Decode
unquote("%C3%A9")  # "é"

Go

import "net/url"

// Encode a query parameter
url.QueryEscape("hello world & more")
// "hello+world+%26+more"

// Parse and build URLs safely
u, _ := url.Parse("https://api.example.com/search")
q := u.Query()
q.Set("q", "rock&roll")
u.RawQuery = q.Encode()
// https://api.example.com/search?q=rock%26roll

PHP

// Encode a value (spaces become %20)
rawurlencode("hello world & more");
// "hello%20world%20%26%20more"

// Encode for form data (spaces become +)
urlencode("hello world & more");
// "hello+world+%26+more"

// Build query string
http_build_query(["q" => "rock&roll", "page" => "1"]);
// "q=rock%26roll&page=1"

Common URL Encoding Pitfalls

Double Encoding

The most insidious URL bug. You encode a value, then pass it through a framework that encodes it again. The %26 becomes %2526, and the server receives a literal %26 instead of &. If your decoded URL still contains percent signs, you have been double-encoded.

Prevention: encode once, at the point where you construct the URL. Never encode a value that might already be encoded without checking first.

Space Encoding: %20 vs +

Both %20 and + represent spaces, but in different contexts. In URL paths, spaces must be %20. In query strings using application/x-www-form-urlencoded format (HTML form submissions), spaces become +. Most modern APIs accept both in query strings, but using the wrong one in a path segment can cause 404 errors.

Non-ASCII Characters and Internationalized URLs

URLs with non-ASCII characters (like Chinese, Arabic, or accented Latin characters) need special handling. The characters are first encoded to UTF-8 bytes, then each byte is percent-encoded. A single Chinese character can become 9 characters in a URL (%E4%B8%AD for 中).

Internationalized Domain Names (IDNs) use a separate system called Punycode. The domain über.com becomes xn--ber-goa.com at the DNS level. URL encoding only applies to the path and query string, not the domain.

Security Implications of URL Encoding

URL encoding is not just about making URLs work — it is a critical security concern:

Injection attacks: Improperly encoded URLs can allow attackers to inject additional parameters or modify the URL structure. Always encode user input before inserting it into URLs.
Path traversal: Characters like ../ can be encoded as %2e%2e%2f to bypass naive path validation. Servers must decode and normalize paths before checking access controls.
Open redirects: Encoded URLs in redirect parameters can disguise malicious destinations. Always validate decoded URLs against an allowlist.

The AI URL Encoder/Decoder highlights potentially dangerous patterns in decoded URLs, helping you spot security issues before they reach production.

Building URLs Programmatically: Best Practices

Never build URLs by concatenating strings. Every major language has a URL builder that handles encoding correctly:

// JavaScript — URLSearchParams
const params = new URLSearchParams({
  q: "rock&roll",
  lang: "en",
  page: "1"
});
const url = `https://api.example.com/search?${params}`;
// https://api.example.com/search?q=rock%26roll&lang=en&page=1

Using URLSearchParams or equivalent libraries ensures every value is encoded exactly once, with the correct encoding for query string context. It also handles edge cases like empty values and array parameters that manual encoding misses.

💡 Pro Tip: When debugging URL issues, paste the full URL into the AI URL Encoder/Decoder. It breaks down each component, shows which characters are encoded, and highlights potential problems like double encoding or missing encoding.

Related Tools and Resources

AI URL Encoder/Decoder — encode and decode URLs instantly
Base64 Encoding and Decoding Guide — another essential encoding format
JSON Formatter and Validator — format API responses after decoding URLs
JWT Decoder — decode tokens that often appear in URL parameters
AI Link Shortener — shorten long encoded URLs
Hash Generator — generate hashes for URL-based cache busting

Stop debugging URL encoding issues manually

Paste any URL and instantly see every encoded character decoded, or encode your values with one click.

Try AI URL Encoder/Decoder →