PHP Header Location with parameter

Question

Is it possible to append a parameter to a PHP Header Location? I'm having trouble getting it to work. Is this syntax actually allowed?

$qry = $_SERVER['QUERY_STRING'];
header('Location: http://localhost/blast/v2/?$qry ') ;

it just won't replace $qry wit its actual value....why??

in the browser it ends up looking like this:

http://localhost/blast/v2/?$qry

thanks

This is fundamental stuff, have a read here: http://php.net/manual/en/language.types.string.php — Wesley Murch, Mar 25 '12 at 16:40

score 23 · Accepted Answer · edited Jun 24 '23 at 19:00

23

Important note: do not use this exactly if you cannot be sure that $qry is safe!

Change the single quotes to double quotes:

header("Location: http://localhost/blast/v2/?$qry");

A single quoted string in PHP is treated as a string literal, which is not parsed for variables.

Double quoted strings are parsed for variables, so you will get whatever $qry contains appended, instead of literally $qry.

edited Jun 24 '23 at 19:00

LuckyLuke Skywalker

610
2
5
17

answered Mar 25 '12 at 16:39

Bojangles

99,427
50
170
208

I try this one `header("Location:http://example.com/file.php?id=$ID");` but the header() adds a `/`at the end of `$ID` and making it a directory. That is it riderects to `http://example.com/file.php?id=5/`(Note the / at the end) Please give a solution – Govind Balaji Oct 19 '14 at 06:37
2

Post a new question explaining your problem in detail. Don't hijack a post's comments – Bojangles Oct 19 '14 at 08:56
Great explanation @Bojangles. For people reading this, you may also have heard the term "string interpolation," which is what's happening here. – Scott C Wilson Aug 15 '19 at 18:27

score 3 · Answer 2 · edited Jan 22 '14 at 16:23

3

You can also add multiple parameters via a header like:

$divert=$row['id']."&param1=".($param1)."&param2=".($param2);
header("Location:showflagsab.php?id=$divert");

which adds the two additional paramaters to the original id

These can be extracted using the $get method at their destination

edited Jan 22 '14 at 16:23

Jamie Taylor

4,709
5
44
66

answered Jan 22 '14 at 16:04

Howard Walker

41
3

Mr.Howard.. I need your help in your ans code..your ans will send single record but incase if there are some duplicate records than how to store that in other page.? – Aug 26 '16 at 11:57

score 3 · Answer 3 · answered Aug 24 '18 at 21:20

3

I know this is a very old post, but please, do not do this. Parameters in a header are XSS vulnerable. You can read more about XSS'ing here: owasp.org/index.php/Cross-site_Scripting_(XSS)

answered Aug 24 '18 at 21:20

Christian Wiles

31
1

Vivek G.S · Answer 4 · 2019-06-19T07:32:41.083

0

wiles How to Fix the XSS attack on header location

$param = $_REQUEST['bcd'];
header("Location: abc.php/?id=$param");

edited Jun 19 '19 at 07:32

answered Jun 19 '19 at 06:47

Vivek G.S

117
2
10

PHP Header Location with parameter

4 Answers4

Linked