00: Should be safe if(substr($_GET['url'],$_SERVER['HTTP_HOST'])){ $redirect_url = $_GET['url']; header("Location: https://hackxpert.com/" . $redirect_url); 10: You need a protocol and a website .. a FQDN https://hackxpert.com 20: evil.com/#hackxpert.com hackxpert.com needs to be in the URL since it comes from that domain .... But # is also in the URL and that is not processed by the server :)