Characters allowed in GET parameter

caw picture caw · Sep 21, 2009 · Viewed 96.7k times · Source

Which characters are allowed in GET parameters without encoding or escaping them? I mean something like this:

http://www.example.org/page.php?name=XYZ

What can you have there instead of XYZ? I think only the following characters:

  • a-z (A-Z)
  • 0-9
  • -
  • _

Is this the full list or are there additional characters allowed?

I hope you can help me. Thanks in advance!

Answer

Michael Krelin - hacker picture Michael Krelin - hacker · Sep 21, 2009

There are reserved characters, that have a reserved meanings, those are delimiters — :/?#[]@ — and subdelimiters — !$&'()*+,;=

There is also a set of characters called unreserved characters — alphanumerics and -._~ — which are not to be encoded.

That means, that anything that doesn't belong to unreserved characters set is supposed to be %-encoded, when they do not have special meaning (e.g. when passed as a part of GET parameter).

See also RFC3986: Uniform Resource Identifier (URI): Generic Syntax