php security for location header injection via $_GET

Question

I\'ve got this code on my page:

header(\"Location: $page\");

$page is passed to the script as a GET variable, do I need any security? (if so what)

<

Answer 1

Yes, you do. Just because you or I can't immediately think of a way to take advantage of that little bit of code doesn't mean a more clever person can't. What you want to do is make sure that the redirect is going to a page that you deem accessible. Even this simple validation could work:

$safe_pages = array('index.php', 'login.php', 'signup.php');
if (in_array($page, $safe_pages)) {
  header("Location: $page");
}
else {
  echo 'That page is not accessible.';
}