rspec/rules/S5146/php/how-to-fix-it/core.adoc

== How to fix it in Core PHP

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
$url=$_GET['url'];

header("Location: " . $url); // Noncompliant
----

==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
$url=$_GET['url'];

$allowedUrls = ['https://example.com/'];

if(in_array($url, $allowedUrls, true)){
  header("Location: " . $url);
}
----

include::../../common/fix/how-does-this-work.adoc[]

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]