Escaping Special Characters and Quotes in Cookies in PHP

By default setcookie() function takes care of escaping special characters in the cookie values in URL format (similar output as of rawurlencode() function). Spaces convert to + and everything converts to a percent sign followed by its ASCII value in hexadecimal except periods, hyphens, underscores, letters, and digits. For example, a double quote " converts to %22 and @ converts to %40.

If you don’t want PHP to make changes to your cookie value, use setrawcookie() instead of setcookie(). The function setrawcookie() accepts the same parameter as setcookie(), but does not URL-encode the cookie’s value. You must do that manually, with the function urlencode() (or rawurlencode()).

<?php
 $value = 'Hi!';

 //URL-encode the value 
 setcookie('key', $value); // Hi%21

 //Does not esape the value
 setrawcookie('key', $value); // Hi!

Cookies and Sessions:

Understanding Cookies
Escaping Special Characters in Cookies
Setting a Cookie with Language Preference
Check If Cookies are Allowed or Blocked
Saving Multiple Values in One Cookie
Saving Form Data into a Cookie
Understanding PHP Sessions
Reading, Writing, and Removing Sessions

Managing Sessions without Cookies
Session Fixation: Changing Session ID
Saving Sessions Data in the Database
Creating Members Area with Session
Using Sessions with HTTP Authentication
Sessions Garbage Collection
Configuring Sessions in PHP.INI