Why urlencode to post data via curl and why not doing the same with form?

  1. As stated on php manual urlencode is for encoding query part of url, so why should urlencode be used to encoded data before sending via curl too as these are $_POST values and not query part?

     foreach ($data as $key => $value) {
              $value = urlencode($value);
              $req .= "&$key=$value";
     curl_setopt($ch, CURLOPT_POSTFIELDS, $req);

If this is recommended to do, so why this is not necessary to encode posted data via form before processing a submitted form (not for curl, but just processing form I mean.) ?

Does this mean curl is sending data differently than a submitted form does?

  1. And should I urldecode after receiving data via curl?

Look at how the HTTP body data is being formatted: key1=val1&key2=val2. It looks rather like the format of a query string, doesn’t it? Now, you don’t have to apply urlencode() to the values (or keys, too), but if a value (or key) contains an ampersand character (&), then the HTTP body formatting would become malformed and you’ll get unexpected results. For example:

$data = [
    'key1' => 'val1',
    'key2' => 'val2&something else'

// your script here


/** Output 
With urlencode() on values:
Array ( [key1] => val1 [key2] => val2&something else )

Without urlencode() on values:
Array ( [key1] => val1 [key2] => val2 [something_else] => )

As you can see, the naivety of the parsing mechanism for $_POST means that the input has simply been split by the ampersand character, giving you a third key with no value.

But to return to your questions:

  1. For the sake of simplicity, yes. However, since you’re passing the data via the request body and not the request URI, you don’t actually need all of the capabilities of urlencode(), just one that converts the ampersand (AFAIK!):
foreach ($data as $key => $value) {
    $value = strtr($value, ['&' => '%26']);
    $req .= "&$key=$value";
  1. It depends. If you’re collecting the request body data from the $_POST super global, then no. The $_GET and $_POST globals apply urldecode() when parsing out the request information. If you’re getting the data from the raw input stream (file_get_contents('php://input')), then yes, you will want to apply urldecode().
  1. If I just use curl_setopt($ch, CURLOPT_POSTFIELDS, $data); and $data is array, doesn’t curl send data using multipart/form-data encoding that I would not need to urlencode data before posting?

  2. Should I be careful that data is not urlencoded twice? For example user submit a form (data automatically urlencoded by browser) then on next page data will be posted via curl so I should be careful that urlencoding does not happen twice? Or still no problem if I keep that urlencoding forach to send posted data by a form via curl at next page?

any advice yet?


Pure speculation here.

If you post a form and look at the headers,

Content-Type: application/x-www-form-urlencoded
POST test.php?str=fgh+fgh+gfh+fgh+hgf+fgh&Submit=submit HTTP/1.1

This implies to me that posted data is urlencoded (entered fgh fgh fgh fgh fgh fgh).

If you look at php.net, setcookie, this is what they have to say.

Note that the value portion of the cookie will automatically be urlencoded when you send the cookie, and when it is received, it is automatically decoded and assigned to a variable by the same name as the cookie name.

This would imply that loren wolsiffer would be stored/posted something like loren%20wolsiffer or loren+wolsiffer
then echo $_POST[‘name’] would be loren wolsiffer.

I would imagine it to be just like GET request, test.php?str=fgh+fgh+gfh+fgh+hgf+fgh&Submit=submit

My answer is that all requests get urlencoded/urldecoded behind the scenes.


what about using it always anyway?
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
Is it good idea? what are cons/pros of this way (http_build_query) ?
I think this is a new fashion for that foreach loop to urlencode it within loop, and even this http_build_query is still unnecessary as all requests get urlencoded/urldecoded behind the scenes? right?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.