Simon Krueger

Always URL encode your Base64 encoded query parameters

"I have not failed. I've just found 10,000 ways that won't work."

Thomas A. Edison

I spent a large portion of the day at work debugging an issue where I did not URL encode a Base64 encoded value I was sending to a server as a query parameter value. I want to make sure I never waste time on this issue again. I am writing a basic explanation of the problem and how to avoid it as reminder to myself. I hope this may help some one else in the future too.

Base64 encoded strings can contain the + character. If the + character is placed on a URL query parameter, it is interpreted as a space. This is problematic because a space ( ) character is NOT a +. In fact, the space ( ) character is not a valid Base64 encoding character.

To circumvent this behavior make sure you URL encode the Base64 encoded value so that + characters are encoded as %2B.

For example, say I have to send QUJD+REVG+0hJY= to a server. If I put this on a URL without URL encoding the value, the URL will look like this: This URL is perfectly valid, but when a request with this URL is sent to a server the query parameter, q, is seen with a value of QUJD REVG 0hJY=. This is not what I wanted. Do you see those spaces?

To fix this, I can URL encode this value before it is put on the URL. The URL now looks like this: Now the server sees q's value as QUJD+REVG+0hJY=. Exactly what I wanted :).

This is a pretty simple mistake that I am sure has been made a million times. I hope to not to make it a million and one. Anyway, always URL encode your Base64 encoded query parameters!