How to avoid HTTP Header Injection (new lines characters)

Question

I sometimes use user data in php function header like this :

header(\'Location : test\' . $user_data);

I used to remove

Answer 1

Quoting the doc:

(since 4.4.2 and 5.1.2) This function now prevents more than one header to be sent at once as a protection against header injection attacks.

So I suppose even that CRLF replacement you've already did is not necessary.