I have to use redirects a lot in my scripts, for example after a user logs in I need to redirect them to the admin area, etc. But I f开发者_C百科ind it inconvenient to always have to have the header function at the very top. So if I use the meta refresh tags for my redirects, is that something that would be frowned upon according to best practices or is it acceptable?

function redirect($location) {
    echo "<meta http-equiv='refresh' content='0; url=$location' />";
}

No. The Wikipedia clearly states:

Meta refresh is a discouraged method of instructing a web browser to automatically refresh the current web page or frame after a given time interval.....

Meta refresh tags have some drawbacks:

1. If a page redirects too quickly (less than 2-3 seconds), using the "Back" button on the next page may cause some browsers to move back to the redirecting page, whereon the redirect will occur again. This is bad for usability, as this may cause a reader to be "stuck" on the last website.
2. A reader may or may not want to be redirected to a different page, which can lead to user dissatisfaction or raise concerns about security.

I would personally use the header() function, then the user does not have to wait for another page to load.

I personally use header() function but Meta just refreshes the page to that url istead of redirecting so it has a chance of killing cookies/sessions whereas header() only works if there is nothing posted to the site before you use it. They both have there ups and downs.

It depends upon your needs.

If you have to redirect a user after login then you must use header redirect.

meta refresh is discouraged due to the reasons mentioned above but still if it is required you can use meta refresh. for example showing an ad on your site and then after certain number of seconds you force a file download or redirect to a new page.

here is a small scenario

PHP

login.php page is displaying a login form, after submit that page posts data to clearn_login_form.php to clean the inputs. clearn_login_form.php redirects to validate.php and then validate.php redirects to admin_area/admin_main.php.

All this redirection is done on backend and user will only see login.php and admin_main.php pages, and if user press the browser's back button it will go back to login.php

META

In meta refresh, redirection is done on browser / client side which is security risk, becouse users will be able to see clear_login_form.php and validate.php in their URLs. also if they hit back buttom from admin_main.php they will arrive at validate.php from where they will again redirected to admin_main.php

PHP is secure and fast and will hide some important file names from users, where meta is exposed and users can do CSRF or Session hijacking attacks (if they found any holes)

Now you have to use header on the very first lines is a problem for you, to overcome this issue use ob_start() function. but make sure to put exit() right after every header command.

Note: ob_start and header() combined is not a good practice and it confuses other programmers who works on your code. It is advised to use header on top most locations, or before any output is sent to browser

function redirect($location) { header("location: $location"); exit(); }