After logging in, I want to redirect users back to the page they were on using PHP. After doing a little searching on the matter and not finding any good solutions, I decided to add a hidden field to the login form which contains the current partial-URL using $_SERVER['REQUEST_URI']. The server uses this information to redirect the user back to the previous page after logging them in. This has been working correctly, however here is my question.
Overall, what security measures do I need to apply to the url, once it is returned to the server, so that, if tampered with, it will not redirect the user to an external and possibly scrupulous site?
Ex: if I change the value in the form from $_SESSION['REQUEST_URI'] to http://www.google.com, it redirects to Google after login. What is the best way to sanitize this?
*I am currently using mysql_real_escape_string() for SQL injection purposes.
<form action="/signin/" method="post">
<input type="hidden" name="return" value="<?php echo $_SERVER['REQUEST_URI']; ?>" />
</form>
......
$return = mysql_real_escape_string($_POST['return']);
header('Location: '.$return);
