Does it matter the different behavior between PHP `rawurlencode` and JS `encodeURIComponent`?

Question

According to https://stackoverflow.com/a/1734255/1529630, encodeURIComponent is the same as rawurlencode, but !*'() aren't escaped, e.g.,

function encodeURIComponent($str) {
    $revert = array('%21'=>'!', '%2A'=>'*', '%27'=>"'", '%28'=>'(', '%29'=>')');
    return strtr(rawurlencode($str), $revert);
}

But then, does it matter that difference?

Normally, I use something like

• In JS

    wrapper.innerHTML = '<a href="foo.php?bar=' + encodeURIComponent(myVar) + '">Link</a>';

• In PHP

    echo '<a href="foo.php?bar=' . rawurlencode(myVar) . '">Link</a>';

If then, in foo.php, I use $_GET['bar'], is it possible to get different results, due to the difference between encodeURIComponent and rawurlencode?

Answer 1

You only need to escape characters that can have special uses within the code.

For example the following can be used to ask the code to do a mathematical comparison or calcuation - < , > , + , - , / , =

then there's reserved characters specific to URL creation such as - ? , @ , %, #

The characters !*'() have no special meaning and so won't be misinterpreted so don't need escaping. You can however escape characters unnecessarily so it might look like a different result, but it would mean/do the same thing.

This has a more thorough breakdown - http://www.blooberry.com/indexdot/html/topics/urlencoding.htm