cURL / Mailing Lists / curl-library / Single Mail


RE: URL with @ in passwords

From: Casey ODonnell <>
Date: Fri, 30 Jul 2004 08:13:02 -0400

And hence why:

char *curl_escape( char * url , int length );

Is so useful for doing precisely that. Because any RFC for that
matter makes for great bedtime reading.



> As far as I can tell, the problem is the input, not curl. If your
> script/application properly formats the URL, curl will parse it apart
> properly. I've never had a problem with curl failing to parse a properly
> formed URL correctly.
> It's important to understand that URL's/URI's are *not* strings. They are
> data structures that contain scheme, host, port, path, query, fragment,
> username, and password data items. They are serialized into string format
> for transmission or display. The various characters that the URI syntax
> uses ('/', '@', '#', '?', etc.) are reserved for separating the different
> data segments of the URI. If you have a character that conflicts with the
> syntax of the URI, it must be %hex escaped. In this case, all '@'
> characters other than the '@' that separates the password from the host must
> be %hex escaped, else they will cause ambiguous parsing like you have
> encountered. When your script/application assembles the URL in string
> format, it needs to do so by escaping any conflicting characters.
> The URI RFC ( makes for great bedtime
> reading (zzzz...) and should answer most questions of this nature.

Casey O'Donnell
RPI STS Department - Graduate Student
Received on 2004-07-31