1024Base
Ctrl K

URL guide

Ampersand in URL query parameters

An ampersand separates query parameters. Encode it as %26 when the ampersand is part of the value.

Open URL Encode Decode Tool View all tools

Why & breaks a query value

In a URL query string, the ampersand is a separator between parameters. If you put a raw ampersand inside a value, the server or browser parser may treat the text after it as a new parameter. That is fine for ?a=1&b=2, but wrong for a value like company=R&D or redirect=https://example.com/?a=1&b=2. The URL may look readable in the address bar while the receiving code sees a different set of parameters.

Example

Input

https://example.com/search?company=R&D&source=email

Output

https://example.com/search?company=R%26D&source=email

How to encode the value

  1. Decide whether the ampersand is a separator or part of a value. Separators stay as &, value characters become %26.
  2. Encode only the parameter value, not the whole URL at once. Encoding the full URL will also encode characters such as : and / that may need to remain URL syntax.
  3. For nested URLs, encode the nested URL before placing it into the outer query parameter.
  4. Use URLSearchParams, encodeURIComponent, or a server-side URL builder instead of manual string joining when possible.
  5. After building the URL, parse it back and confirm the parameter count and values match what you intended.

Nested URLs need another pass

Redirect and callback parameters often contain their own query strings. In that shape, the inner ampersand belongs to the nested URL value, so it must be encoded before the outer URL is assembled.

For example, redirect=https://site.test/callback?a=1&b=2 will usually be parsed as redirect=https://site.test/callback?a=1 plus a separate b=2 parameter. The inner value should be redirect=https%3A%2F%2Fsite.test%2Fcallback%3Fa%3D1%26b%3D2.

Plus signs are a different issue

A plus sign and an ampersand solve different problems. In application/x-www-form-urlencoded data, plus often represents a space. Ampersand still separates parameters.

If a literal plus sign belongs inside a value, encode it as %2B. If a literal ampersand belongs inside a value, encode it as %26. Treat them separately when debugging a broken URL.

Common mistakes

  • Leaving R&D, A&B testing, or company names unencoded inside a query value
  • Encoding the entire URL with encodeURIComponent and then pasting it as the address itself
  • Encoding a value twice, which turns %26 into %2526
  • Mixing form encoding rules with path encoding rules
  • Assuming a browser address bar display proves the server received the same parameter values

Related problems

URL space encoding: %20 vs plus URL decode not working fix Convert URL spaces to %20 Encode spaces in a URL

FAQ

Should every ampersand in a URL become %26?

No. Ampersands that separate query parameters should remain as &, while ampersands inside parameter values should be encoded as %26.

Can URLSearchParams handle this?

Yes. If you pass raw values into URLSearchParams, it will encode value ampersands when it serializes the query string.

Why does the server miss part of my value?

The server probably split the query string at the raw ampersand and treated the rest as another parameter.