What Is URL Encoding?
URL encoding, also called percent encoding, is a mechanism for encoding special characters in URLs so they can be safely transmitted over the internet. The basic idea is simple: any character that isn't in the "unreserved" set (letters, digits, and a few symbols) gets replaced by a percent sign followed by two hexadecimal digits representing the character's byte value.
For example, a space character becomes %20 because the ASCII code for space is 32, which is 20 in hexadecimal. This is why you see %20 in URLs instead of actual spaces.
Why URL Encoding Is Necessary
URLs have a defined structure with specific characters serving specific purposes. The forward slash / separates path segments, the question mark ? starts the query string, the ampersand & separates parameters, and the equals sign = assigns values. If your actual data contains any of these characters, they must be encoded to avoid breaking the URL structure.
For instance, if a user searches for "rock & roll", the raw URL would be ambiguous — is & a parameter separator or part of the search query? URL encoding resolves this by converting the & to %26: ?q=rock%20%26%20roll.
Reserved vs. Unreserved Characters
RFC 3986 defines two categories:
- Unreserved characters (never encoded):
A-Z,a-z,0-9,-,_,.,~ - Reserved characters (have special meaning in URLs):
!,*,',(,),;,:,@,&,=,+,$,,,/,?,#,[,],%
Reserved characters should be encoded when they appear in data (not as URL structure). For example, a literal # in a search query becomes %23, since an unencoded # would start a URL fragment.
Common URL Encoding Examples
Space → %20 (or + in query strings)
! → %21
" → %22
# → %23
$ → %24
& → %26
' → %27
( → %28
) → %29
+ → %2B
, → %2C
/ → %2F
: → %3A
; → %3B
= → %3D
? → %3F
@ → %40
[ → %5B
] → %5D
% → %25Space: %20 vs. + — What's the Difference?
This is one of the most confusing aspects of URL encoding. There are two valid ways to encode a space:
%20— The standard percent-encoding for space, valid anywhere in a URL+— An alternative used inapplication/x-www-form-urlencoded(HTML form submissions and query strings)
In the path portion of a URL, only %20 is correct. In query strings, both work but + is more common because it's shorter. When decoding, be aware of this distinction: + should be decoded as space only in query string context, not in the URL path.
Double Encoding: A Common Pitfall
Double encoding occurs when already-encoded data gets encoded again. For example, encoding %20 a second time produces %2520 (the % becomes %25). This is usually a bug caused by calling encodeURIComponent() multiple times or by a server re-encoding an already-encoded URL parameter. Always decode first if you suspect the data might already be encoded.
URL Encoding in Programming
// JavaScript
encodeURIComponent("hello world!") // "hello%20world!"
decodeURIComponent("hello%20world!") // "hello world!"
// Python
import urllib.parse
urllib.parse.quote("hello world!") # "hello%20world!"
urllib.parse.unquote("hello%20world!") # "hello world!"
// PHP
rawurlencode("hello world!") // "hello%20world!"
rawurldecode("hello%20world!") // "hello world!"Note that JavaScript's encodeURI() and encodeURIComponent() behave differently. encodeURI() preserves URL structure characters like /, :, and ?, while encodeURIComponent() encodes everything except unreserved characters.
International Characters and Non-ASCII URLs
Modern browsers support Internationalized Resource Identifiers (IRIs), allowing Unicode characters directly in URLs. Behind the scenes, these are converted to ASCII using Punycode for domain names and percent-encoding (UTF-8 bytes) for path/query strings. For example, the Chinese character 中 (UTF-8: 0xE4 0xB8 0xAD) becomes %E4%B8%AD in the URL.
When to Encode and When Not To
- Encode: User input in query parameters, dynamic path segments, values from forms, data in API requests
- Don't encode: The URL structure itself (scheme, host, delimiters), already-encoded values, static URLs
Conclusion
URL encoding is a foundational concept in web development that affects every HTTP request, API call, and form submission. Understanding the difference between %20 and +, knowing which characters are reserved, and avoiding double encoding will save you from countless debugging headaches. For quick encoding and decoding, use an online URL encoder tool — it handles the edge cases so you don't have to.