Sanitation for URL used in Header: Location?

Question

In a multi-step form process, I am receiving a URL as a form field.

After processing, my PHP script redirects to that address using header(\"Location: ...\");<

Answer 1

In old versions of PHP you had to worry about CRLF injection which is \r\n. This is a "header response splitting vulnerability." If you strip out these characters then you shouldn't have to worry. In the latest build of of PHP the header() function is safe, and will automatically take care of \r\n for you.