8.5.x common.inc drupal_get_destination()
8.0.x common.inc drupal_get_destination()
8.1.x common.inc drupal_get_destination()
8.2.x common.inc drupal_get_destination()
8.3.x common.inc drupal_get_destination()
8.4.x common.inc drupal_get_destination()
8.6.x common.inc drupal_get_destination()
4.6.x common.inc drupal_get_destination()
4.7.x common.inc drupal_get_destination()
5.x common.inc drupal_get_destination()
6.x common.inc drupal_get_destination()
7.x common.inc drupal_get_destination()

Prepares a 'destination' URL query parameter for use with drupal_goto().

Used to direct the user back to the referring page after completing a form. By default the current URL is returned. If a destination exists in the previous request, that destination is returned. As such, a destination can persist across multiple pages.

Return value

An associative array containing the key:

  • destination: The path provided via the destination query string or, if not available, the current path.

See also



Related topics

27 calls to drupal_get_destination()
comment_admin_overview in modules/comment/comment.admin.inc
Form builder for the comment overview administration form.
common_test_destination in modules/simpletest/tests/common_test.module
Print destination query parameter.
contextual_pre_render_links in modules/contextual/contextual.module
Build a renderable array for contextual links.
field_ui_field_overview_form_submit in modules/field_ui/field_ui.admin.inc
Form submission handler for field_ui_field_overview_form().
hook_translated_menu_link_alter in modules/system/system.api.php
Alter a menu link after it has been translated and before it is rendered.

... See full list


includes/common.inc, line 525
Common functions that many Drupal modules will need to reference.


function drupal_get_destination() {
  $destination =& drupal_static(__FUNCTION__);
  if (isset($destination)) {
    return $destination;
  if (isset($_GET['destination'])) {
    $destination = array(
      'destination' => $_GET['destination'],
  else {
    $path = $_GET['q'];
    $query = drupal_http_build_query(drupal_get_query_parameters());
    if ($query != '') {
      $path .= '?' . $query;
    $destination = array(
      'destination' => $path,
  return $destination;


leeotzu’s picture

In my opinion the code $destination = array('destination' => $_GET ['destination']); may impose a xss threat as destination parameter can be exploited to collect the information


Let me know if my assumption is correct

greggles’s picture

Your assumption is not correct in general. The $_GET['destination'] is a point where user supplied text gets into a variable, but that variable is designed to be passed to the l() or url() functions which perform sanitization by default.

Any use of this data outside of those functions should take special care to filter it explicitly.

masipila’s picture

@leeotzu: reporting security concerns in public is extremely bad practice. This page contains instructions on how to report security issues, please follow that process on the next time.