& => & is part of HTML and XML's escaping scheme. URIs use a different escape mechanism. URI::Escape provides it.

my $url_param = 'http://www.whatzit.com?a=1&b=2';
my $url = "http:/www.xyzzy.com?url=" . uri_escape($url_param);
[download]

If you are placing the constructed URL in HTML or XML, you will also need to HTML-escape the constructed URL as a whole.

[ Wrote this much earlier, but forgot to actually post it. Sorry if it's redundant ]