Encode values passed to add_query_arg

Add_query_arg() is a really useful function, but it might not work as you thought it did.

If one does:

$my_url = 'admin.php?action=delete&post_id=321';
$my_url = add_query_arg( 'my_arg', 'somevalue&post_id=123', $my_url );

You would expect the url to be: admin.php?action=delete&post_id=321&somevalue%26post_id%3D123
But in fact it becomes: admin.php?action=delete&post_id=321&somevalue&post_id=123

Your URL has now been hijacked and you will be deleting post 123 instead of 321.

To protect against this use rawurlencode() so that

"somevalue&post_id=123"

get converted into

"somevalue%26post_id%3D123"

Which is now safe.

You can either convert every single argument:

add_query_arg( 'my_arg', rawurlencode( 'somevalue&post_id=123' ), $myurl );

Or update all your arguments at once:

$args = array(
    'my_arg' => 'somevalue&post_id=123',
    'my_second_arg' => $my_second_arg;
);
$args = array_map( 'rawurlencode', $args );
$my_url = add_query_arg( $args, $my_url);

Ready to get started?

Tell us about your needs

Let us lead the way. We’ll help you select a top tier development partner. We’ll train your developers, operations, infrastructure, and editorial teams. We’ll coarchitect your deployment processes. We will provide live support for peak events. We’ll help your people avoid dark alleys and blind corners, and reduce wasted cycles.