Solved

header("Location: xxx.php") does not stop script?

Posted on 2008-10-30
5
586 Views
Last Modified: 2010-04-21
Hi

I put a very simple "error check" in my code:

if($error){
header ("Location: error.php?error=$error");
}

And below that is plenty of code, and in particular, some sql code to insert data into the DB.

I noticed that when I run the code and cause $error to be true, then I get redirected to the error.php page correctly along with the get variable, BUT, I noticed that the SQL also got executed??

Is this "expected" behaviour?

I added and "exit();" into my error if statement, and it works now, but I was always under the impression that redirecting from the code will break execution of everything below???

Should I ALWAYS have an exit(); after a header redirect?
0
Comment
Question by:psimation
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
glcummins earned 250 total points
ID: 22843950
Yes, this is expected behavior, and yes, you should (almost) always use exit() after a header("Location...") call.

When you use header(), you are simply instructing your script to send output to the user's browser. However, this is a special kind of output which the user never sees. For example, the web server automatically sends the document type and last modification date in the header. The user never sees this, but the user's browser does and processes it as needed.

When you send header("Location..."), you are simply telling the user's browser to go somewhere else. However, *nothing* is sent to the user's browser until your script ends. The entire script processes, and then the output is sent to the browser.

Therefore, if you want the redirect to happen immediately, you must use exit() after the header() call.
0
 
LVL 16

Assisted Solution

by:hankknight
hankknight earned 250 total points
ID: 22843962
PHP scripts do indeed continue to be executed after a header redirect.

A header redirect ONLY gives instructions to the browser to move on.

PHP will actually continue to output content after sending a header redirect.  But because the browser has already moved on the visitor does not see this output.

You should ALWAYS exit(); after a redirect.

Look at the recommended usage here: (They all use exit)
http://www.php.net/header
0
 
LVL 17

Author Comment

by:psimation
ID: 22844001
Damn - I better go check my other scripts!

I usually do other sanity checks as well - especially on sql operations, I'm actually kinda glad I spotted it here - else I would have been blissfully unaware!

Thanks to both!

One thing - is it possible for someone to bypass this and still see output  -with s special "browser" or even curl functions?
0
 
LVL 24

Expert Comment

by:glcummins
ID: 22844102
Yes, definitely. In fact, I discovered this behavior once quite by accident while testing my scripts. One common method that attackers use to break your application is to access it in unexpected ways.

As a test, I accessed my application via telnet, rather than via a browser. This application required a login. If the login failed, the user was redirected (via header()) to an error message page.

When I accessed the application via telnet, I was able to see where the header information was sent, but then the rest of the "protected" page was displayed as well! Inserting an exit() after the header() line fixed the problem.
0
 
LVL 17

Author Closing Comment

by:psimation
ID: 31511793
I have a sinking feeling in my stomach...

Anyways, thanks to both - your posts were almost at exactly the same time so i think it's only fair to split equally?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article discusses four methods for overlaying images in a container on a web page
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question