Is there any formal restriction as to which characters are allowed in URL parameter names?
I've been reading RFC3986 ("Uniform Resource Identifier (URI): Generic Syntax") but came to no definitive conclusion.
I know there are practical limitations, but would it actually be forbidden to do something like:
param with\funny<chars>=some_value
as long as I escape it correctly:
param%20with%1cfunny%3cchars%3e=some_value
In essence this means that the only characters you can reliably use for the actual name parts of a URL are a-z , A-Z , 0-9 , - , . , _ , and ~ . Any other characters need to be Percent encoded.
Letters ( A – Z and a – z ), numbers ( 0 – 9 ) and the characters ' ~ ',' - ',' . ' and ' _ ' are left as-is. + is encoded by %2B. All other characters are encoded as a %HH hexadecimal representation with any non-ASCII characters first encoded as UTF-8 (or other specified encoding)
There are no restrictions on escaped parameter names in the URI specs. There might be restrictions in the server-side software that you use, though. This is especially true if you use “homemade” scripts to interpret URIs.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With