5

Should PHP header locations be encoded?

header("Location: ".$_SERVER["REQUEST_URI"]);
header("Location: ".rawurlencode($_SERVER["REQUEST_URI"]));

If so, why, when, and how?

user1032531
  • 24,767
  • 68
  • 217
  • 387

1 Answers1

1

You only need to encode it, if you have some special chars (defined in RFC1806) in your URL. Especially you should encode all URLs with the following characters: {}|\^~[]` (as of RFC1738)

Cheesi
  • 483
  • 4
  • 14
  • 1
    True, but the relevant specs are RFC 7231 and RFC 3986. – Julian Reschke Aug 12 '14 at 13:52
  • What will happen if I do not? Will PHP's `REQUEST_URI` ever need encoding or will it already be so when it is passed to the server? Should I use `rawurlencode()` to encode? – user1032531 Aug 12 '14 at 14:15
  • @user1032531 I never tried that, but maybe a broken link or so, maybe also nothing. PHP seems to be really strange on encoding input. I trieded the whole string only the ` got encode. So yes you should also encode `REQUEST_URI`. It depends on your requirements, whenever you need rawurlencode or urlencode. A detail answer can be found here: http://stackoverflow.com/questions/996139/urlencode-vs-rawurlencode @JulianReschke prior to 5.3 PHP uses the RFC1738, but you are right. – Cheesi Aug 13 '14 at 05:31