Encode values passed to add_query_arg

Add_query_arg() is a really useful function, but it might not work as you thought it did.

If one does:

$my_url = 'admin.php?action=delete&post_id=321';
$my_url = add_query_arg( 'my_arg', 'somevalue&post_id=123', $my_url );

You would expect the url to be: admin.php?action=delete&post_id=321&somevalue%26post_id%3D123
But in fact it becomes: admin.php?action=delete&post_id=321&somevalue&post_id=123

Your URL has now been hijacked and you will be deleting post 123 instead of 321.

To protect against this use rawurlencode() so that

"somevalue&post_id=123"

get converted into

"somevalue%26post_id%3D123"

Which is now safe.

You can either convert every single argument:

add_query_arg( 'my_arg', rawurlencode( 'somevalue&post_id=123' ), $myurl );

Or update all your arguments at once:

$args = array(
    'my_arg' => 'somevalue&post_id=123',
    'my_second_arg' => $my_second_arg;
);
$args = array_map( 'rawurlencode', $args );
$my_url = add_query_arg( $args, $my_url);

Ready to get started?

Drop us a note.

No matter where you are in the planning process, we’re happy to help, and we’re actual humans here on the other side of the form. 👋 We’re here to discuss your challenges and plans, evaluate your existing resources or a potential partner, or even make some initial recommendations. And, of course, we’re here to help any time you’re in the market for some robust WordPress awesomeness.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.