I assume you must be referring to the userinfo part of the URL in which the user credentials are passed, not "URL parameters" (which are part of the query-string):
https://<userinfo>@example.com/foo?<query-string>
As with any character that is not permitted in any one part of the URL (because it may have special meaning), it must be URL-encoded (percent-encoded) as %
followed by the two digit hex code for that character.
So, @
is %40
and ?
is %3F
.
But those aren't the only two characters that may need URL encoding. You should be passing the value through a URL-encode function in your script to correctly URL encode that part of the URL.
RFC 3986 defines what characters are permitted (unencoded) in the userinfo part of the URL:
userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded = "%" HEXDIG HEXDIG
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
So, everything else must be percent-encoded, including :
and %
- if they are part of the user or password parts (in order to negate there special meaning).
Also stated in the same document:
Use of the format "user:password" in the userinfo field is deprecated.
Consequently browser support has been patchy, coming and going over the versions (security a primary concern). I believe the latest versions of Chrome (tested v79) and Firefox do support user credentials in the URL. I've seen comments that this also works in the latest Safari(?), although this hasn't worked for a long time and it doesn't currently work for me (although I'm not running the latest on iOS 12.4.1). And IE dropped support for usernames and passwords in the URL some years ago and it doesn't look like it's coming back.