[development] rawurlencode vs. urlencode in drupal_http_build_query and drupal_encode_path

Scott Reynen scott at slicedbreadlabs.com
Fri Mar 22 04:16:21 UTC 2013

I wasn't around when this happened, but the history is all documented 
and searchable, so it didn't take too long to find an answer. While 
drupal_urlencode() was a wrapper for urlencode() in D5, it became a 
wrapper for rawurlencode() in D6. Here's the commit:


And here's the related issue with discussion of why that change was made:


Scott Reynen
Sliced Bread Labs

On 3/21/13 9:22 PM, Kevin O wrote:
> Howdy folks. Due to some draconian anti-SQL injection filters in our
> firewall software, I'm exploring how a few things work with url building
> in Drupal 7 & 8. A particular firewall rule is rejecting %20and%20 which
> unfortunately comes up fairly often with searches and webform, because
> both urls for those get encoded in that way.
> Now, this filtering is not of course Drupal's problem, but in tracking
> this down, I found that basically, drupal_http_build_query and
> drupal_encode_path use rawurlencode and thus change spaces to %20. The
> space change and the lack of encoding the ~ seem to be the only
> difference between rawurlencode and urlencode in PHP. (further info here
> http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode )
> Since drupal_http_build_query was introduced in D7 as was
> drupal_encode_path they both seem to have always used rawlurlencode,
> however the previous function for the latter was drupal_urlencode which
> was a wrapper for urlencode.
> Does anyone know why we switched to using rawurlencode instead of
> urlencode? Does anyone have thoughts on switching back to urlencode? I
> could just go file a feature request for this, but wanted to get a feel
> for the history and reasons for this change first.
> Thanks!
> Cheers,
> Kevin O'Brien
> Drupal Developer
> http://www.coderintherye.com
> 415-754-0112

More information about the development mailing list