Change the single quotes to double quotes:

将单引号改为双引号：

header("Location: http://localhost/blast/v2/?$qry");

A single quoted string in PHP is treated as a string literal, which is not parsed for variables. Double quoted strings areparsed for variables, so you will get whatever $qrycontains appended, instead of literally $qry.

PHP 中的单引号字符串被视为字符串文字，不会为变量解析。双引号字符串被解析为变量，因此您将获得$qry附加的任何内容，而不是字面上的$qry。

You can also add multiple parameters via a header like:

您还可以通过标题添加多个参数，例如：

$divert=$row['id']."&param1=".($param1)."&param2=".($param2);
header("Location:showflagsab.php?id=$divert");

which adds the two additional paramaters to the original id

将两个额外的参数添加到原始 id

These can be extracted using the $getmethod at their destination

这些可以使用$get目的地的方法提取

I know this is a very old post, but please, do not do this. Parameters in a header are XSS vulnerable. You can read more about XSS'ing here: owasp.org/index.php/Cross-site_Scripting_(XSS)

我知道这是一个很老的帖子，但请不要这样做。标头中的参数易受 XSS 攻击。您可以在此处阅读有关 XSS 的更多信息：owasp.org/index.php/Cross-site_Scripting_(XSS)

wiles How to Fix the XSS attack on header location

wiles 如何修复头部位置的 XSS 攻击

$param = $_REQUEST['bcd'];
header("Location: abc.php/?id=$param");