Is this PHP redirect insecure?

Question

Hmm I can't really indentify any insecurities but was wondering whether you can, if so how to possibly patch/mend?

Heres the code:

header("Location: http://example.com/search/{$_POST['term']}/{$_POST['type']}");

The site which i'm redirecting too does the validation & sanitization on their side, but what I'm concerned about is - is this redirecting insecure in any way (on my side - seeing as I'm using direct $_POST's).

Appreciate all help.

PS: Just became curious as I've always thought using unsanizited user input is dangerous (or atleast that applies to XSS and SQLi).

Answer 1

Overall, for most websites running a modern version of PHP, it is secure.

There are two concerns at hand:

• A malicious user may be able to trick a victim into unwittingly visiting any page of the form /search/*/* on the site by linking them to a malicious page that POSTs to the page with your redirect. (Note that they are not limited to just two slashes after/search because their POST variables may contain slashes.) This is similar to handing someone a shortened bit.ly URL that redirects them, so it's not too bad.
• HTTP response splitting. If a malicious user includes newlines (specifically, CRLF / \r\n) within their POST data, they can cause your header() call to output multiple headers, including headers to set cookies, and so on. However, as of PHP 5.1.2 this has been fixed.