In a multi-step form process, I am receiving a URL as a form field.

Question

0

Editorial Team

Asked: May 13, 20262026-05-13T18:53:31+00:00 2026-05-13T18:53:31+00:00

In a multi-step form process, I am receiving a URL as a form field.

0

In a multi-step form process, I am receiving a URL as a form field.

After processing, my PHP script redirects to that address using header("Location: ...");

Apart from the possibility of being misused as a redirect service for porn sites to generate harmless-looking links in E-Mails (Open Redirect, which can be helped by matching the URL to the local domain), are there any hacking / exploitation dangers to be aware of in this process?

One thing that came to mind was smuggling newlines into the URL, which might open the possibility of sending arbitrary headers to the client.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-13T18:53:31+00:00

Editorial Team

2026-05-13T18:53:31+00:00Added an answer on May 13, 2026 at 6:53 pm

In old versions of PHP you had to worry about CRLF injection which is \r\n. This is a “header response splitting vulnerability.” If you strip out these characters then you shouldn’t have to worry. In the latest build of of PHP the header() function is safe, and will automatically take care of \r\n for you.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

In a multi-step form process, I am receiving a URL as a form field.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply