Skip to content
Latchkey

curl -G + --data-urlencode: Safe Query Strings

Hand-building query strings breaks on spaces and ampersands; --data-urlencode does not.

When parameters contain spaces or special characters, let curl encode them. -G plus --data-urlencode is the clean way to build a GET.

What it does

-G / --get makes curl send any -d / --data fields as a URL query string with a GET request instead of a POST body. --data-urlencode percent-encodes the value so spaces, ampersands, and other special characters are safe. Each --data-urlencode adds one parameter; curl joins them with &.

Common usage

Terminal
curl -G https://api.example.com/search \
  --data-urlencode 'q=build status' \
  --data-urlencode 'repo=owner/name'
# results in /search?q=build%20status&repo=owner%2Fname

Flags

FlagWhat it does
-G / --getSend -d/--data as a query string with GET
--data-urlencode 'k=v'URL-encode the value, key kept literal
--data-urlencode 'v'Encode a bare value with no key
--data-urlencode 'k@file'Encode the contents of a file as the value

In CI

When a query value comes from a variable that might contain spaces or slashes, use --data-urlencode instead of string-concatenating into the URL. It avoids broken requests and injection-style bugs when the value is attacker-influenced. Combine with -G so the request stays a GET.

Common errors in CI

A 400 or a truncated query usually means an unencoded space or & split the URL. Forgetting -G sends the data as a POST body instead of the query string, which a GET-only endpoint rejects with 404 or 405.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →