Query String Builder

%20 (RFC 3986) is the standard percent-encoding for a space character in any part of a URL. It works correctly in all contexts — path segments, query strings, and headers. + (application/x-www-form-urlencoded) is a historic shorthand for space that only applies inside query strings. It originated from HTML form submission and is understood by PHP ($_GET), classic web forms, and some APIs. Use %20 (RFC 3986) as the safe default for REST APIs and modern backends. Use + only when integrating with PHP or HTML form-based endpoints that explicitly expect it. Our tool lets you choose: pick "No Encoding", "%20 — RFC 3986", or "+ — Form (PHP / HTML)".

Characters that MUST be encoded inside parameter values: & (separates params, encode as %26), = (separates key from value, encode as %3D), # (marks fragment start, encode as %23), + (means space in form encoding, encode as %2B), % itself (encode as %25). Characters that SHOULD be encoded for safety: space (%20 or +), <, >, ", {, }, |, \, ^, `. Characters that are SAFE and do not need encoding: A–Z, a–z, 0–9 and - _ . ~ Using encodeURIComponent() in JavaScript covers all required cases and is what our %20 mode uses. Our "No Encoding" mode lets you pass pre-encoded values without double-encoding them.

There is no single standard — the convention depends on your backend framework. The most common patterns: Repeated keys (most universal): ids=1&ids=2&ids=3 — works with Express, Django, Rails, and most servers. PHP bracket notation: ids[]=1&ids[]=2&ids[]=3 — produces an array in $_GET["ids"]. Indexed notation: ids[0]=1&ids[1]=2 — useful when order matters. Comma-separated: ids=1,2,3 — requires server-side splitting. Best practice: check your API docs or backend framework. To use repeated keys in this tool, just add multiple rows with the same key name.

The fragment (anything after #) is a client-side anchor that tells the browser to scroll to a specific element on the page with that id. It is never sent to the server. Common uses: Anchor links — https://docs.example.com/api#authentication jumps to the section with id="authentication". Single-page app routing — frameworks like React and Vue use the hash for client-side routes (#/dashboard). Deep links — links that open an app to a specific screen or section. State preservation — some tools encode state in the fragment so it survives page reloads without a server round-trip. Important: because the fragment is not sent to the server, it cannot be read by server-side code and does not affect SEO.

There is no official maximum in the HTTP spec, but real-world limits exist. Safe limit: 2,000 characters (works across all major browsers and servers). Browser limits: Chrome and Firefox support very long URLs (64K+). IE and older Edge had a 2,083 character limit. Server limits: nginx default header buffer is 4K–8K. Apache default is 8K. IIS default is 16K. All are configurable. What breaks at long lengths: bookmarks may truncate silently, browser history may not store the full URL, some proxies and CDNs impose their own limits, 414 "Request-URI Too Long" errors from servers. Fix: if your query string pushes past 2K, switch to a POST request with a JSON body instead.

No. The Query String Builder is 100% client-side JavaScript. Everything — encoding, parsing, building — happens in your browser. No URL, parameter key, parameter value, or fragment is ever transmitted to No Code Vista servers or any third party. This makes it safe to use with internal API endpoints, staging URLs, credentials in query strings (though passing credentials in URLs is not recommended), and any other sensitive or private URLs.