Query String Builder

Reserved characters must be encoded: & = ? # / (have special meaning in URLs). space = %20 or + (both valid, %20 is safer). Special characters: %, +, ,, ;, :, @, $, !, *, ', (, ), [, ]. Encoding format: %XX where XX is hex ASCII code (space = %20, & = %26). Safe characters (no encoding needed): letters A-Z a-z, digits 0-9, - _ . ~ (unreserved characters). Example: "hello world&foo=bar" becomes "hello%20world%26foo%3Dbar". Modern best practice: always encode query parameter values, even if they appear safe (prevents injection attacks). Our tool handles encoding automatically - paste any text and get properly encoded output.

Format: https://example.com/path?key1=value1&key2=value2&key3=value3. Components: base URL (https://example.com/path), ? (query start delimiter), parameters (key1=value1), & (parameter separator), multiple parameters chained with &. Rules: ? appears once (marks query start), = separates keys from values, & separates parameter pairs, no & before first parameter or after last, no spaces (use + or %20), parameter order typically does not matter (server-dependent). Empty value: key= or key (no =), both valid. Arrays: key=val1&key=val2 (repeated keys) or key[]=val1&key[]=val2 (bracket notation, framework-specific). Fragment: comes after query (#section at end).

No standard format - conventions vary by framework. Common patterns for arrays: Repeated keys: ids=1&ids=2&ids=3 (most universal, supported by Express, PHP, Rails), Brackets: ids[]=1&ids[]=2&ids[]=3 (PHP, Rails convention), Comma-separated: ids=1,2,3 (needs splitting server-side, cleaner URLs), Indexes: ids[0]=1&ids[1]=2&ids[2]=3 (preserves order explicitly). For objects: Bracket notation: user[name]=John&user[age]=30 (nests into {user: {name: "John", age: 30}}), Dot notation: user.name=John&user.age=30 (some frameworks support), JSON: data={%22name%22:%22John%22} (encode entire JSON object - verbose). Best practice: check your backend framework's query parser convention, use repeated keys for maximum compatibility, or use POST with JSON body for complex data.

Avoid sensitive data in query strings: URLs are logged (server logs, proxy logs, browser history, analytics), visible in browser address bar (shoulder surfing risk), stored in browser history and bookmarks, included in Referer header when navigating to other sites, no encryption for URL portion in HTTPS (only connection is encrypted, URLs are plaintext in logs). Use POST body for: passwords, API keys, personal information (SSN, credit cards), large data payloads (URLs have length limits ~2000 chars), sensitive filters/searches. Query parameters OK for: public filters (category, sort order), pagination (page=2), search terms (public searches only), shareable state, tracking parameters (utm_campaign). Rule: if you would not want it in browser history or server logs, do not put it in query string.

No official standard but practical limits exist: Browsers: Chrome 2MB+, Firefox 65K, Safari 80K, IE/Edge 2K (most restrictive). Servers: nginx default 4K-8K (http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers), Apache default 8K, IIS default 16K (configurable). Safe limit: 2000 characters (works in all browsers/servers, URLs longer than this get clipped, bookmarks may truncate). Best practices: keep URLs under 2K characters, use POST for large data payloads, paginate results instead of passing large arrays, use URL shorteners for very long URLs (redirects), store complex state server-side with session ID in short URL. Signs of too-long URL: 414 Request-URI Too Long error, broken bookmarks, truncated query parameters.

Path encoding (https://site.com/path%20segment): uses %20 for space (not + allowed in paths), forward slash / is path separator (must encode as %2F if literal /), stricter - most special chars must be encoded. Query encoding (https://site.com?query=value): space can be %20 or + (both valid, tools vary), & and = have special meaning (parameter separators), slightly more permissive. Fragment encoding (#section): similar to path but appears after query. Key differences: + means space in query but literal + in path (encode as %2B), / is literal in query but separator in path. Encoding functions: encodeURIComponent() in JavaScript (query values, aggressive), encodeURI() (full URLs, preserves URL characters). Always use appropriate encoding: encodeURIComponent for query parameter values, encodeURI for full URL construction.