raw_urlencode() Questions

Hello Again,

Now we get to the complicated section.

I am trying to build a searchengine.
So that means, my SERPs would be spitting user submitted links.
Now since I do not know what their url formats (url structures. eg. which part of url is path, which is query string, etc.) would be I can't know in adv where to manually place the raw_urlencode() on their urls before displaying their links on my SERPs.
So, how to check a user submitted url and get php to auto add the raw_urlencode() in the appropriate place before echoing the user submitted url ?

.....continuing,

As you have guessed, I really need to parse user submitted urls before echoing their submitted urls on my page. need to parse the urls as I won't know what urls they will be submitting nor the structures of their urls. On each submitted url, I need to add the key part of each query string on the $key array and the value part of each query string on the $value array. How to do this ? Example, a user submits this url:

http://example.com/autos/cars/list.php?country=usa&min_price=5000

FIRST STEP:
In this example, I need the $key array to be populated with: country, min_price

And, I need the $value array to be populated with: usa, 5000

Then I need to echo each array's values. How to do this ?

SECOND STEP:
I need to auto add the appropriate encoding functions in the submitted url. So now I won't be echoing like this:

echo 'http://example.com/autos/cars/list.php?country=usa&min_price=5000';

But after parsing the url and after adding the appropriate encoding php functions in the correct spots of the url, I will be echoing like this:

echo rawurlencode('http://example.com/autos/cars/list.php') .'?country=' .urlencode('usa') .'&min_price=' .intval(5000);

Can you see, I auto added rawurlencode on the file path and urlencode on the query string's values and can you see I added intval where the query string's value was an INT ? Well, I did all this additions manually here ofcourse to show you what I want php to do on auto. I really need to get php to auto analyze the url and auto add the rawurlencode(), urlencode() and intval() where appropriate and then add the 3 functions on the correct spots on the url before echoing out the url. How to write code for php to do this ?

Once these two steps are achieved, then I can say a custom php function has been built that analyzes submitted urls and auto encodes the urls with the appropriate encoding functions (rawurlencode, urlencode, intval) on the correct spots on the url.

My Failed Attempt:

//Typical Url Example
$url = 'https://daniweb.com/Work/buzz/Templates/Pagination_Section_TEMPLATE.php?tbl=links&bool=null&col_1=domain&col_2=email_domain&input_1=brute.com&input_2=brute.com&lmt=1&pg=1
';

$parts = array();
$parts[] = parse_url($url);

echo $scheme = parse_url($url,PHP_URL_SCHEME);

$key = array();
$value = array();

foreach($parts as $key=>$value)
{
    print_r($key); echo '<br>';
    print_r($value); echo '<br>';
}

Don't know how to proceed from this point onwards.
Any help would be most appreciated.

Nope. This code did not work:

$url = 'https://daniweb.com/Work/buzz/Templates/Pagination_Section_TEMPLATE.php?tbl=links&bool=null&col_1=domain&col_2=email_domain&input_1=brute.com&input_2=brute.com&lmt=1&pg=1
';
function rawurlencode_deep( $url ) {
    return map_deep( $url, 'rawurlencode' );
}

I see blank page.
Code from this tutorial:

https://developer.wordpress.org/reference/functions/rawurlencode_deep/

As I mentioned in this post the purpose of using htmlspecialchars(), urlencode(), and rawurlencode() is to make it easier for you to make your HTML code valid, and make your URLs valid.

In the example you're providing, it's necessary to use rawurlencode('Sales and Marketing') because have you ever seen spaces inside of a URL before?? The HTTP protocol does not allow spaces inside of a URL, so the URL is malformed. By using that function, we are converting:

http://example.com/Sales and Marketing/search

which is not a valid URL, into

http://example.com/Sales%20and%20Marketing/search

which is a valid URL. Of course this link is hard-coded by us and is not user input, so we could just as easily type out the valid URL-encoded version ourselves, but sometimes writing all those %20s gets confusing or we may forget to do it in one place with very long URLs, and it's just easier to have a function that does it for us.

By using urlencode() in the query string, we are converting the invalid URL:

http://example.com/Sales%20and%20Marketing/search?query=Monthly Report

into the valid URL:

http://example.com/Sales%20and%20Marketing/search?query=Monthly+Report

As mentioned in my other post, we don't just use htmlspecialchars(), urlencode(), and rawurlencode() to prevent XSS attacks on user input. That's one use case, but the more important reason is that not doing it is simply invalid HTML.

Now since I do not know what their url formats (url structures. eg. which part of url is path, which is query string, etc.) would be I can't know in adv where to manually place the raw_urlencode() on their urls before displaying their links on my SERPs.
So, how to check a user submitted url and get php to auto add the raw_urlencode() in the appropriate place before echoing the user submitted url ?

If a user feeds you a URL, you don't want to just go URL encoding it all willy nilly. That's because, 9 times out of 10, the user will already feed you a properly formatted URL (that is most likely already encoded). We don't want to encode an already-encoded URL, because double-encoding will lead to lots of problems.

I like to use the filter_var() function, which I think I mentioned to you a few posts back in another forum thread of yours.

You can use it as so:

if (filter_var($url, FILTER_VALIDATE_URL)) {
    echo("Valid URL");
} else {
    echo("Not a valid URL");
}

As an example, if you have:

$url = 'http://example.com/Sales and Marketing/search';

the above code will say that the URL is not valid. But if you have either:

$url = 'http://example.com/' . rawurlencode('Sales and Marketing') . '/search';

or

$url = http://example.com/Sales%20and%20Marketing/search';    

the above code will say that the URL is valid.

Another option is:

// Remove all illegal characters from a url
$url = filter_var($url, FILTER_SANITIZE_URL);

What I would recommend is asking the user to input a URL, and running it through a validator like this one. You then have 3 options.

1. Give the user a friendly error message and ask them to provide a valid URL if it has invalid characters in it (such as spaces).

2. Jump through hoops converting illegal characters to their properly URL-encoded variants yourself. In other words, if the end-user provides:

    http://example.com/Sales and Marketing/search

   then you convert it for them to:

    http://example.com/Sales%20and%20Marketing/search

   This involves jumping through a lot of hoops and is not worth the effort. As you pointed out, we just want to make sure that the part after the :// but before the ? doesn't have any illegal characters, and the query strings also don't have any illegal characters. Now let me tell you ... how often you will encounter badly formed URLs is not worth jumping through hoops trying to properly escape a user-inputted URL.

3. Just brute force strip the illegal characters from the URL using FILTER_SANITIZE_URL. In other words, if the end-user provides:

    http://example.com/Sales and Marketing/search

   then you convert it for them to:

   http://example.com/SalesandMarketing/search

   Yes, the URL that you end up with might not be what the user intended, and it might end up resulting in a page that doesn't exist. But at least it's a valid URL.

@Dani,

Thank you very much tonight for all your efforts and responses.
It's Nearly 5am here and I am feeling sleepy. I managed to read your above post with sleepy eyes. And am now wondering, whether I wasted 2 hours of my time doing things the long way to add raw_urlencode(), urlencode() and intval() on user submitted urls before getting php to echo their links on my SERP as keyword search result.
Anyway, I will look into your previous response and codes another time when I am fully awake.
As for now, I will copy & paste the code I was working on for the past 2 hrs.
You are welcome to review it and chuckle to yourself for me going the extra mile and not thinkign up the short ways you explained in your previous post.
Well, here goes. (Do not laugh at my code or my cheeks will go all red with embarassment!).
Do not expect the code to conform to what you just said on your previous post as I wrote this code before reading your previous or latest reply as of now.

<?php

//Auto Add rawurlencode() in appropriate places in path.

$scheme = parse_url($url,PHP_URL_SCHEME);
$host = parse_url($url,PHP_URL_HOST);
$full_path = parse_url($url,PHP_URL_PATH);

$path_parts = array();
$path_parts = explode('/',trim($full_path,'/'));

print_r($path_parts); //DEVMODE.
echo '<br>';

$raw_urlencoded = $scheme .'://' .$host;
foreach($path_parts AS $path_part)
{
    $raw_urlencoded .= '/';
    $raw_urlencoded .= rawurlencode($path_part);
}

echo __LINE__; echo '<br>';
echo $raw_urlencoded; echo '<br>';

?>

<br>
<br>
<br>

<?php
//Auto Add urlencode() in appropriate values of queries in query string.
//Auto Add int_val() in appropriate values of queries in query string.

$query_strings_parts = array();
$query_strings_parts = explode('?',trim($all_queries_and_values,'?')); //DELETE THIS LINE FOR LINES 103.
$query_strings_parts = explode('&',trim($all_queries_and_values,'&')); //DELETE THIS LINE FOR LINES 103.
echo __line__; echo '<br>';
print_r($query_strings_parts); //DEVMODE. Array ( [0] => arg=value1 [1] => key=value2 ) 
echo '<br>';

echo __line__; echo '<br>';
print_r($all_queries_and_values); //DEVMODE. arg=value1&key=value2.
echo '<br>';

parse_str($all_queries_and_values,$arr1); //KEEP THIS LINE OVER LINES 93 & 94.
echo __line__; echo '<br>';
print_r($arr1); //DEVMODE. Array ( [arg] => value1 [key] => value2 ).
echo '<br>';


foreach($arr1 AS $query_string_part)
{
    $urlencoded = '/?';
    $urlencoded .= is_int($query_string_part)?INTVAL($query_string_part):urlencode($query_string_part);
}

//Join raw_urlencode part with urlencoded() part to form full secured url.
echo __LINE__; echo '<br>';
echo $urlencoded; echo '<br>';
echo __LINE__; echo '<br>';
echo $secured_url = $raw_urlencoded.$urlencoded;

?>

Thanks

PS - Can you spot any issues, mistakes, bugs, serious errors, etc. ?

PPS - Good Night! I will check for your reply another time.

Firstly, you're completely going down a horrible rabbit hole trying to transform potentially-malformed URLs that a user enters into valid URLs. Basically what you're trying to do is if you have a webpage with a form where a user is meant to enter a URL, they can enter "hello world" and it will try to convert that into a valid URL (http://hello%20world). Honestly, if you want to create a search engine, and the user doesn't enter a valid URL, just tell the user their URL is invalid, and call it a day.

The problem with the code snippet that you posted is that you cannot assume that the path and query string aren't already encoded, or partially encoded ... and you never want to encode characters that are already encoded.

For example, suppose I have:

page.php?q=hello world

Obviously that is wrong because URLs can't have spaces. So let's run urlencode() around 'hello world' and we get:

page.php?q=hello+world

But what if your end-user submits a URL that already looks like

https://www.domain.com/page.php?q=hello+world

That's a valid URL. We don't want to do anything to it, because if we were to run urlencode() over hello+world we would end up with:

https://www.domain.com/page.php?q=hello%2Bworld

That's not the URL we want!

Similarly, we don't want to run urlencode() or rawurlencode() if the URL is not valid, because it's possible that part of the URL is valid and part is not. The user did enter a malformed URL, after all. So we can't assume that every part of it is malformed and that it's not just half-broken.

In conclusion, check if the user entered a valid URL. If they didn't, prompt them to try again. Don't accept any invalid URLs into your database. This way your database only consists of nice, properly formed URLs. Then, there's no need to ever use urlencode() or rawurlencode() when echo'ing out the URLs in your HTML.

You will still need to use urlencode() and rawurlencode() if you're dynamically generating a URL in your HTML. For example, suppose you have a search result page:

results.php?query=

You will want to use urlencode() on the query string.

$query_string = $_GET['query'];

echo '<a href="results.php?query=' . urlencode($query_string) . '">Search Results</a>';

Obviously it's possible for the user to enter a query string with spaces, question marks, so it wouldn't make sense to redirect the end-user to a URL that looks like:

https://www.daniweb.com/question.php?topic=raw_urlencode() Questions

But instead to redirect them to:

https://www.daniweb.com/question.php?topic=raw_urlencode%28%29+Questions

So you can see you will want to use urlencode() and rawurlencode() when building your own URL that contains PHP variables.

In conclusion, check if the user entered a valid URL. If they didn't, prompt them to try again. Don't accept any invalid URLs into your database. This way your database only consists of nice, properly formed URLs. Then, there's no need to ever use urlencode() or rawurlencode() when echo'ing out the URLs in your HTML.

I realized I needed to clarify myself here. If a URL is already valid, we don't need to use these functions designed to encode strings used to build a valid URL. However, you will still want to use htmlspecialchars() when echo'ing out the URL, in order for the HTML being generated to be valid.

Thanks. I am not worried about my echoing own links such as serp links. As I coded like this:

//Report Error.
ini_set('display_errors',1);
ini_set('display_startup_errors',1);
error_reporting(E_ALL);

//Extract $_GETs.
$tbl = !EMPTY($_GET['tbl'])?strtolower($_GET['tbl']):links;
$input_1 = !EMPTY($_GET['input_1'])?$_GET['input_1']:die('Make your input for us to search!');
$input_2 = !EMPTY($_GET['input_2'])?$_GET['input_2']:null;
$col_1 = !EMPTY($_GET['col_1'])?strtolower($_GET['col_1']):die('Input MySql Column to search!');
$col_2 = !EMPTY($_GET['col_2'])?strtolower($_GET['col_2']):null;
$bool = !EMPTY($_GET['bool'])?strtolower($_GET['bool']):null;
$page = !EMPTY($_GET['pg'])?intval($_GET['pg']):1;
$limit = !EMPTY($_GET['lmt'])?intval($_GET['lmt']):1;
$offset = ($page*$limit)-$limit;

$total_pages = 10; //This is typical example. This value really depends on matching rows from Mysql Query.

//DEVMODE CODE
$i = 0;
while($i<$total_pages)
{
    $i++;
    if($bool=='and' || $bool=='or')
    {
        $serps_url = $_SERVER['PHP_SELF'].'?'.'tbl='.urlencode($tbl).'&'.'col_1='.urlencode($col_1).'&'.'col_2='.urlencode($col_2).'&'.'bool='.$bool.'&'.'input_1='.urlencode($input_1).'&'.'input_2='.urlencode($input_2).'&'.'lmt='.intval($limit).'&'.'pg='.intval($i);
    }
    else
    {
        $serps_url = $_SERVER['PHP_SELF'].'?'.'tbl='.urlencode($tbl).'&'.'col_1='.urlencode($col_1).'&'.'bool='.urlencode($bool).'&'.'input_1='.urlencode($input_1).'&'.'lmt='.intval($limit).'&'.'pg='.intval($i);
    }
    if($i==$page)
    {
        echo '<a href="' .htmlspecialchars($serps_url) .'">' ."<b>$i</b>" .'</a>';
    }
    else
    {
        echo '<a href="' .htmlspecialchars($serps_url) .'">' ."$i" .'</a>';
    }
}

I am now giving some thought to what you advised.

Thank You

@Dani,

Few months ago, I thought this was good enough:

$i = 0;
while($i<$total_pages)
{
    $i++;
    if($_GET['bool']=='null')
    {
        //Page Format: $_GET List.
        $array = array("tbl"=>"$tbl","col_1"=>"$col_1","bool"=>"$bool","input_1"=>"$input_1","lmt"=>"$limit","pg"=>"$i");
    }
    else
    {
        //Page Format: $_GET List.
        $array = array("tbl"=>"$tbl","col_1"=>"$col_1","col_2"=>"$col_2","bool"=>"$bool","input_1"=>"$input_1","input_2"=>"$input_2","lmt"=>"$limit","pg"=>"$i");
    }

    $serps_url = $_SERVER['PHP_SELF'].'?'.http_build_query($array);

    if($i==$page)
    {
        echo '<a href="' .$serps_url .'">' ."<b>$i</b>" .'</a>';
    }
    else
    {
        echo '<a href="' .$serps_url .'">' ."$i" .'</a>';
    }
}

As someone advised me it's the safest way to do a pagination and I can forget about all the encodings.
Can forget about these:

$i = 0;
while($i<$total_pages)
{
    $i++;
    if($bool=='and' || $bool=='or')
    {
        $serps_url = $_SERVER['PHP_SELF'].'?'.'tbl='.urlencode($tbl).'&'.'col_1='.urlencode($col_1).'&'.'col_2='.urlencode($col_2).'&'.'bool='.$bool.'&'.'input_1='.urlencode($input_1).'&'.'input_2='.urlencode($input_2).'&'.'lmt='.intval($limit).'&'.'pg='.intval($i);
    }
    else
    {
        $serps_url = $_SERVER['PHP_SELF'].'?'.'tbl='.urlencode($tbl).'&'.'col_1='.urlencode($col_1).'&'.'bool='.urlencode($bool).'&'.'input_1='.urlencode($input_1).'&'.'lmt='.intval($limit).'&'.'pg='.intval($i);
    }
    if($i==$page)
    {
        echo '<a href="' .htmlspecialchars($serps_url) .'">' ."<b>$i</b>" .'</a>';
    }
    else
    {
        echo '<a href="' .htmlspecialchars($serps_url) .'">' ."$i" .'</a>';
    }
}

But I need to hear from you, why using the http_build_query() you do not need to use the urlencode(), raw_urlencide() and the inval() as I have forgotten the answer I got 6 months back.
WHy do I get the feeling that, even if I can forget about urlencodings(), raw_urlencodings(), intvals() but cannot forget htmlspecialchars() here ? Meaning, I must add the htmlspecialchars() like so:

$i = 0;
while($i<$total_pages)
{
    $i++;
    if($_GET['bool']=='null')
    {
        //Page Format: $_GET List.
        $array = array("tbl"=>"$tbl","col_1"=>"$col_1","bool"=>"$bool","input_1"=>"$input_1","lmt"=>"$limit","pg"=>"$i");
    }
    else
    {
        //Page Format: $_GET List.
        $array = array("tbl"=>"$tbl","col_1"=>"$col_1","col_2"=>"$col_2","bool"=>"$bool","input_1"=>"$input_1","input_2"=>"$input_2","lmt"=>"$limit","pg"=>"$i");
    }

    $serps_url = $_SERVER['PHP_SELF'].'?'.http_build_query($array);

    if($i==$page)
    {
        echo '<a href="' .htmlspecialchars($serps_url) .'">' ."<b>$i</b>" .'</a>';
    }
    else
    {
        echo '<a href="' .htmlspecialchars($serps_url) .'">' ."$i" .'</a>';
    }
}

I remember what you said. I need to escape variable values containing html before I echo them on an html page to prevent malicious attacks. But would that prevent javascript attacks too ?
You know. I do not know Javascript and do not wish to bother with clientside programming. Just sticking with html & php for now. Will get into css & python in upcoming projects. But have no intention to learn javascript.
That means, my website won't have javascript.
So in that case, to prevent users submitting links with malicious javascript codes, how can I disable javascript on my visitor's browsers temporarily so their browsers do not inteprete any javascript code (should any crook manage to inject javascript into my pages' html code ?
When visitors go to other sites away from mine then Javascript should work in their browsers without them manually needing to ON javascript again as that would annoy them if my website makes them do extra manual work.
Or, is the php url sanitiser goof enough to weed-out javascript code from urls that users submit to my webform (link submission) ? Why do I get the feeling, there maybe other ways users might inject javascript malicious code during their link submissions to my site in order to redirect my other visitors to their phishing sites when those other visitors click the crook's malicious link (that he submitted to my searchengine) found on my SERPs ?

@Dani,

As far as I remember. 6 months back, I was never shown to do things like the way I did below. But I still went ahead with it to get your feed back.
What do you think ?

$i = 0;
while($i<$total_pages)
{
    $i++;
    if($_GET['bool']=='null')
    {
        //Page Format: $_GET List.
        $array = array("tbl"=>"$tbl","col_1"=>urlencode("$col_1"),"bool"=>urlencode("$bool"),"input_1"=>urlencode("$input_1"),"lmt"=>urlencode("$limit"),"pg"=>intval("$i"));
    }
    else
    {
        //Page Format: $_GET List.
        $array = array("tbl"=>"$tbl","col_1"=>urlencode("$col_1"),"col_2"=>urlencode("$col_2"),"bool"=>urlencode("$bool"),"input_1"=>urlencode("$input_1"),"input_2"=>urlencode("$input_2"),"lmt"=>urlencode("$limit"),"pg"=>intval("$i"));
    }

    $serps_url = $_SERVER['PHP_SELF'].'?'.http_build_query($array);

    if($i==$page)
    {
        echo '<a href="' .htmlspecialchars($serps_url) .'">' ."<b>$i</b>" .'</a>';
    }
    else
    {
        echo '<a href="' .htmlspecialchars($serps_url) .'">' ."$i" .'</a>';
    }
}

Or maybe, I should stick to one of the codes on my previous post (if you have not already chosen one out of the three above for me already).

Hi,

If you look at the description for http_build_query then you can see that it: Generates a URL-encoded query string from the associative (or indexed) array provided.

In other words, the benefit to using http_build_query() is that it loops through all the elements in the array and adds urlencode() to each of them, so you don't have to waste lines of code doing it yourself.

You still need to use htmlspecialchars($serps_url) to convert the & character in the query string into &.

However, if you refer to the PHP docs article I linked to earlier in this post, it looks like the http_build_query() function has thought of everything, and allows you to pass in the argument separator & so that you don't have to use htmlspecialchars() either!

echo http_build_query($array, '', '&');

... should do both urlencode() and do htmlspecialchars() for you.

@Dani

Php manual is too complicated for me. I prefer layman tutorials.
For example, I do not understand the 2nd param. Prefix. What is it for ?

echo http_build_query($data, '', '&');

Nevertheless, heeding your advice and sticking to:

//Extract $_GETs.
$tbl = !EMPTY($_GET['tbl'])?strtolower($_GET['tbl']):'links';
$input_1 = !EMPTY($_GET['input_1'])?$_GET['input_1']:die('Make your input for us to search!');
$input_2 = !EMPTY($_GET['input_2'])?$_GET['input_2']:null;
$col_1 = !EMPTY($_GET['col_1'])?strtolower($_GET['col_1']):die('Input MySql Column to search!');
$col_2 = !EMPTY($_GET['col_2'])?strtolower($_GET['col_2']):null;
$bool = !EMPTY($_GET['bool'])?strtolower($_GET['bool']):null;
$page = !EMPTY($_GET['pg'])?intval($_GET['pg']):1;
$limit = !EMPTY($_GET['lmt'])?intval($_GET['lmt']):1;
$offset = ($page*$limit)-$limit;

$total_pages = 10; //This is typical example. This value really depends on matching rows from Mysql Query.

$i = 0;
while($i<$total_pages)
{
    $i++;
    if($_GET['bool']=='null')
    {
        //Page Format: $_GET List.
        $array = array("tbl"=>"$tbl","col_1"=>urlencode("$col_1"),"bool"=>urlencode("$bool"),"input_1"=>urlencode("$input_1"),"lmt"=>urlencode("$limit"),"pg"=>intval("$i"));
    }
    else
    {
        //Page Format: $_GET List.
        $array = array("tbl"=>"$tbl","col_1"=>urlencode("$col_1"),"col_2"=>urlencode("$col_2"),"bool"=>urlencode("$bool"),"input_1"=>urlencode("$input_1"),"input_2"=>urlencode("$input_2"),"lmt"=>urlencode("$limit"),"pg"=>intval("$i"));
    }

    $serps_url = $_SERVER['PHP_SELF'].'?'.http_build_query($array,'','&amp');

    if($i==$page)
    {
        echo '<a href="' .$serps_url .'">' ."<b>$i</b>" .'</a>';
    }
    else
    {
        echo '<a href="' .$serps_url .'">' ."$i" .'</a>';
    }
}

The code you posted is not heeding my advice. My advice is that you don't need to use urlencode() or htmlspecialchars() if you are using http_build_query($array, '', &'). (Note the semicolon at the end of the &, as you left it off.)

The prefix string says what to use to separate query string parameters. The default would be & as in ?foo=1&bar=2&baz=3&bat=4. However, as previously explained, & is not valid HTML, so we would use htmlspecialchars() on the URL to convert it to ?foo=1&bar=2&baz=3&bat=4. However, we don't need to do that if we just tell http_build_query() to use & instead of & to begin with.

@Dani,

I have checked the manual and forgive me if I am sounding thick in skull (dumb) as things are not getting into my head.
To use '&' as separator, should we not write it like this:

$data = array(
    'foo' => 'bar',
    'baz' => 'boom',
    'cow' => 'milk',
    'null' => null,
    'php' => 'hypertext processor'
);

echo http_build_query($data,'&');

Instead of this:

$data = array(
    'foo' => 'bar',
    'baz' => 'boom',
    'cow' => 'milk',
    'null' => null,
    'php' => 'hypertext processor'
);

echo http_build_query($data,'','&');

Frankly, both echo the same result.

The prefix string says what to use to separate query string parameters - Dani<<

Scratching my head as you can input query string separators on both 2nd param & 3rd. How so ?

If I look at the PHP.net manual, I see that the arg_separator is the third parameter to be passed into the function.

The second parameter, numeric prefix, is unrelated to what we are discussing.

The reason you are not realizing the difference in the example where it works versus the example where it doesn't work is because & looks like '&' in your web browser. But if you go to View Source and actually investigate the HTML code that is being generated, you will see the difference. You always want your HTML code to have & in it and never any & on its own, regardless of it's part of a link or not.