How to Create a PHP Redirect (Safely)

 PHP redirects are a very useful tool, but they can also be dangerous if not used properly.

If you've read an introduction to PHP 7.4 and how to build a website , you'll know that the header() function can be used to easily redirect a user to another page. However, using this function is not as simple as it appears. In this guide, we'll show you how to create a PHP redirect that won't cause major issues later on.

Create a PHP Redirect (Safely)

The Fundamental PHP Redirect Method

Most guides will tell you that you can simply use the header() function at the top of your pages to create a PHP redirect. To do so, use the function to send a new URL, such as this:

header('Location: '.$newURL.php);

This header function should be placed right at the top of the page before you pass any HTML or text to your users' browsers. That is, it should come before the!DOCTYPE> declaration, any Java code, and any PHP code. Users will then be directed to the new URL.

While it may appear simple, when it comes to the header() function, the code's simplicity can lead developers astray. So, let's take a look at how to use this function correctly.

Die() and Exit ()

To begin, whenever you use a redirect, you should use the die() or exit() modifier. In summary, crawlers and bots can ignore headers, so the page you thought you were redirecting away from is completely accessible to them. In other words, if you use a header redirect to protect a specific page, it provides no protection at all.

That is why, if the redirection is ignored, you must stop processing the rest of the page. To accomplish this, append die() or exit() after your redirect:

header("Location: .$newURL.php");
die();

Relative and Absolute URLs

Next, we'll go over relative and absolute URLs in redirects. RFC 7231 allows you to use both, but you should use relative redirects with extreme caution. This is due to the fact that some website builders collect and rename PHP pages. This means that if you work on your PHP via a website builder, you risk breaking all of your redirects.

Unfortunately, there is no real solution to this problem at the moment, short of keeping a close eye on where your redirects are pointing.

Codes of Status

The third issue with standard PHP redirects is that PHP's "location" operator continues to return the HTTP 302 error code. You should not allow it to do so because many web browsers implement this code in a way that contradicts its intended functionality: they essentially use the GET command instead of performing a "real" redirect.

When creating PHP redirects, the best practice is to specify the code that is returned. Regrettably, the correct code to use is a source of contention. HTTP 301 indicates a permanent redirect, which may cause issues when attempting to restore your original page. Unfortunately, many browsers interpret HTTP 303 as "other," which can cause issues with search engine indexing.

In practice, use HTTP 303 until this situation is resolved.

Examine the documentation

Aside from the basic precautions listed above, you should read the documentation on using PHP redirects before publishing them. Check the PHP manual to ensure that you understand what you're doing, as well as the W3C documentation to ensure that you're following best practices.

And, while you're reading, make sure to protect your website from common vulnerabilities: if you're already forced to use PHP redirects, your site's security will most likely require an audit.

Other Techniques
Given all of these concerns, you may be wondering why you would use a PHP redirect at all. That is a valid question. Though PHP redirects are typically executed faster than other types of redirects and can thus be an important tool in improving website speed, there are other options.


There are two primary approaches to this. To redirect from within the HTML portion of your page, you can use either the HTML <meta> element or JavaScript. The first approach, which makes use of <meta>, would look like this:

<meta http-equiv="refresh" content="0;url=newpage.php">

The second approach, which makes use of JavaScript, is a little more elegant and certainly appears more professional:

window.location.replace("http://newpage.php/");

Both of these methods are slightly slower than an immediate header() redirect, but they are arguably more flexible.

A Final Thought

While following the steps above should result in secure PHP redirects, if you find yourself using multiple PHP redirects, it is probably time to reconsider the structure of your site.

There are several compelling reasons to do so. The first is that not all web hosts are created equal, and sending all of your visitors on a circuitous route around your site will affect its performance. This can be improved to some extent by using a low-cost web hosting provider, but only to a point.

The second reason is that the page from which you are redirecting may be collecting data on your visitors without your knowledge, especially if you use web analytics software to track the performance of your site. That could have serious ramifications in our post-GDPR world.

So, in summary, be cautious with PHP redirects, use them correctly, and only use them when absolutely necessary.




Next Post Previous Post
No Comment
Add Comment
comment url