HTTP URL - allowed characters in parameter names

views:

1330

answers:

HTTP URL - allowed characters in parameter names

Is there any formal restriction as to which characters are allowed in URL parameter names?

I've been reading RFC3986 ("Uniform Resource Identifier (URI): Generic Syntax") but came to no definitive conclusion.

I know there are practical limitations, but would it actually be forbidden to do something like:

param with\funny<chars>=some_value

as long as I escape it correctly:

param%20with%1cfunny%3cchars%3e=some_value

+1 A:

There are reserved characters for URLs, but as long as you escape (urlencode) then you should be fine.

Depending on the framework used, you may get exceptions if you try to submit suspicious values. ASP.NET has content filtering that will throw exceptions if you try to submit "unsafe" data, like scripts or HTML. That's a feature of the framework though rather than a limitation or rule enforced by the URL syntax.

Neil Barnwell 2009-05-02 11:37:16

As long as you escape / URL Encode it, you're fine.

?x=encodedanything&y=more

Chad Grant 2009-05-02 11:38:30

It's the "x" and the "y" I am asking about, not the "encodedanything" or the "more".

Tomalak 2009-05-02 11:43:13

then yes, there are many restrictions, spaces etc... i just stuck to simple words (ASCII A-Za-z0-9) with no spaces. Never needed anything more ;)

Chad Grant 2009-05-02 11:45:54

+2 A:

There are no restrictions on escaped parameter names in the URI specs. There might be restrictions in the server-side software that you use, though. This is especially true if you use “homemade” scripts to interpret URIs.

Konrad Rudolph 2009-05-02 11:38:49

That's exactly why I've been asking... http://stackoverflow.com/questions/814613/how-to-read-data-from-url-using-javascript -- I guess my answer would need an overhaul to make it correct in unusual situations.

Tomalak 2009-05-02 11:41:02

Ah, that complicates the situation substantially. Especially since using ` other ones could be used instead, e.g. `,` and `;` used to be used quite a lot. Also, many server engines (PHP, Rails, …) support nested arguments, so this would be a legal URI with query: http://example.com/?a=b;c[1]=x;c[2]=y … A lot of web applications actually use this query notation for form data (options, checkboxes …) to get array-like data.

Konrad Rudolph 2009-05-02 11:51:40

So I guess it boils down to "there is no single correct function to pull parameters out of an URL" -- unless you are prepared to accept that "c[1]=x" is a server-side convention, and the parameter you are looking for is *in fact* called "c[1]" on the client (which would be factually correct, but come as strange to those accustomed to server side programming...).

Tomalak 2009-05-02 11:55:05

+2 A:

You should also read RFC2396. It seems to be more informative than RFC3986.

Vitaly Polonetsky 2009-05-02 12:16:45

Section 3.4. ("Query Component") has it: "The query component is a string of information to be interpreted by the resource.". This would basically mean "anything goes", just as I thought.

Tomalak 2009-05-02 12:36:18

It's just not HTTP specific, unfortunately. But I guess there is no standard here, just convention.

Tomalak 2009-05-02 12:38:06

ansaurus

tags:

views:

answers:

HTTP URL - allowed characters in parameter names

related questions