CRLF (\r\n) in PHP's header() function

Question

Why/when does one has to use CRLF's at the end of header in PHP? Here is one example (it's not necessarily correct):

header("method: POST\r\n");
header('Host: '.get_option('transact_url')."\r\n");
header('Content-type: application/x-www-form-urlencoded');
header('Content-length: '.strlen($transaction)."\r\n");
header($transaction."\r\n\r\n");
header("Connection: close\r\n\r\n");
header("Location: ".$key_client_url."\r\n");

Answer 1

There was a way to add \r\n to header in php 4, which was vulnerability that could be exploited, using CRLF injection attacks see PHP HTTP Header Multiple Vulnerabilities.

Answer 2

Halfdan is correct. Here is the explanation.

The request line and headers must all end with CRLF (that is, a carriage return followed by a line feed). The empty line must consist of only and no other whitespace.

    Request       = Request-Line              ; Section 5.1
                    *(( general-header        ; Section 4.5
                     | request-header         ; Section 5.3
                     | entity-header ) CRLF)  ; Section 7.1
                    CRLF
                    [ message-body ]          ; Section 4.3

source: w3c.org - Hypertext Transfer Protocol -- HTTP/1.1

Answer 3

You should never do manual line-breaks inside of header(). The current implementation removes line-breaks so you're safe, but this could change in future (although there's no reason why it should be changed).

Answer 4

If it's PHP, this code is nonsense.

header() function is used to send answer headers, while some of these headers are request ones.
You can see this code because one who wrote it has no clue.

Answer 5

Got my log-in's all mixed, so I'm posting, although this a comment for halfdan. Feel free to correct it, if someone can.

link

I saw that in the link and nobody mentioned about what you've just told me, so I thought it has something to do with Linux line-endings. Granted, it was the only time I saw "\r\n" in header().