encodeURI(), encodeURIComponent(), or escape(): When to Use Which for URL Encoding?

When to Use escape, encodeURI, or encodeURIComponent

Encoding Query Strings

When encoding a query string for transmission to a web server, different functions have specific purposes:

escape()

• Despite being defined in the ECMAScript standard, escape() is obsolete and should not be used. It has undesirable characteristics that are outdated in modern web development.

encodeURI()

• Use encodeURI() to encode a complete URL string. This encodes special characters, such as spaces, to ensure a valid URL structure. For example:

  encodeURI("http://www.google.com?var1=value1&var2=value2");

  will return:

  http://www.google.com?var1=value1&var2=value2

encodeURIComponent()

• Use encodeURIComponent() to encode specific parameters within a URL string. This ensures that specific characters, such as spaces, are properly encoded within the parameter values. For example:

  encodeURIComponent("var1=value1&var2=value2");

  will return:

  var1%3Dvalue1%26var2%3Dvalue2

Usage Guidelines

• For encoding complete URLs, use encodeURI().
• For encoding specific parameters within URLs, use encodeURIComponent().
• Avoid using escape() for any purpose.
• Remember that encodeURI() and encodeURIComponent() do not escape the single quotation mark ('). To protect against injection vulnerabilities when constructing HTML attributes with single quotes, consider using double quotes (") instead or encoding the single quote as '.

The above is the detailed content of encodeURI(), encodeURIComponent(), or escape(): When to Use Which for URL Encoding?. For more information, please follow other related articles on the PHP Chinese website!