Solved

header("Location: xxx.php") does not stop script?

Posted on 2008-10-30
5
576 Views
Last Modified: 2010-04-21
Hi

I put a very simple "error check" in my code:

if($error){
header ("Location: error.php?error=$error");
}

And below that is plenty of code, and in particular, some sql code to insert data into the DB.

I noticed that when I run the code and cause $error to be true, then I get redirected to the error.php page correctly along with the get variable, BUT, I noticed that the SQL also got executed??

Is this "expected" behaviour?

I added and "exit();" into my error if statement, and it works now, but I was always under the impression that redirecting from the code will break execution of everything below???

Should I ALWAYS have an exit(); after a header redirect?
0
Comment
Question by:psimation
  • 2
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
glcummins earned 250 total points
ID: 22843950
Yes, this is expected behavior, and yes, you should (almost) always use exit() after a header("Location...") call.

When you use header(), you are simply instructing your script to send output to the user's browser. However, this is a special kind of output which the user never sees. For example, the web server automatically sends the document type and last modification date in the header. The user never sees this, but the user's browser does and processes it as needed.

When you send header("Location..."), you are simply telling the user's browser to go somewhere else. However, *nothing* is sent to the user's browser until your script ends. The entire script processes, and then the output is sent to the browser.

Therefore, if you want the redirect to happen immediately, you must use exit() after the header() call.
0
 
LVL 16

Assisted Solution

by:hankknight
hankknight earned 250 total points
ID: 22843962
PHP scripts do indeed continue to be executed after a header redirect.

A header redirect ONLY gives instructions to the browser to move on.

PHP will actually continue to output content after sending a header redirect.  But because the browser has already moved on the visitor does not see this output.

You should ALWAYS exit(); after a redirect.

Look at the recommended usage here: (They all use exit)
http://www.php.net/header
0
 
LVL 17

Author Comment

by:psimation
ID: 22844001
Damn - I better go check my other scripts!

I usually do other sanity checks as well - especially on sql operations, I'm actually kinda glad I spotted it here - else I would have been blissfully unaware!

Thanks to both!

One thing - is it possible for someone to bypass this and still see output  -with s special "browser" or even curl functions?
0
 
LVL 24

Expert Comment

by:glcummins
ID: 22844102
Yes, definitely. In fact, I discovered this behavior once quite by accident while testing my scripts. One common method that attackers use to break your application is to access it in unexpected ways.

As a test, I accessed my application via telnet, rather than via a browser. This application required a login. If the login failed, the user was redirected (via header()) to an error message page.

When I accessed the application via telnet, I was able to see where the header information was sent, but then the rest of the "protected" page was displayed as well! Inserting an exit() after the header() line fixed the problem.
0
 
LVL 17

Author Closing Comment

by:psimation
ID: 31511793
I have a sinking feeling in my stomach...

Anyways, thanks to both - your posts were almost at exactly the same time so i think it's only fair to split equally?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now