?
Solved

header("Location: xxx.php") does not stop script?

Posted on 2008-10-30
5
Medium Priority
?
593 Views
Last Modified: 2010-04-21
Hi

I put a very simple "error check" in my code:

if($error){
header ("Location: error.php?error=$error");
}

And below that is plenty of code, and in particular, some sql code to insert data into the DB.

I noticed that when I run the code and cause $error to be true, then I get redirected to the error.php page correctly along with the get variable, BUT, I noticed that the SQL also got executed??

Is this "expected" behaviour?

I added and "exit();" into my error if statement, and it works now, but I was always under the impression that redirecting from the code will break execution of everything below???

Should I ALWAYS have an exit(); after a header redirect?
0
Comment
Question by:psimation
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
glcummins earned 1000 total points
ID: 22843950
Yes, this is expected behavior, and yes, you should (almost) always use exit() after a header("Location...") call.

When you use header(), you are simply instructing your script to send output to the user's browser. However, this is a special kind of output which the user never sees. For example, the web server automatically sends the document type and last modification date in the header. The user never sees this, but the user's browser does and processes it as needed.

When you send header("Location..."), you are simply telling the user's browser to go somewhere else. However, *nothing* is sent to the user's browser until your script ends. The entire script processes, and then the output is sent to the browser.

Therefore, if you want the redirect to happen immediately, you must use exit() after the header() call.
0
 
LVL 16

Assisted Solution

by:hankknight
hankknight earned 1000 total points
ID: 22843962
PHP scripts do indeed continue to be executed after a header redirect.

A header redirect ONLY gives instructions to the browser to move on.

PHP will actually continue to output content after sending a header redirect.  But because the browser has already moved on the visitor does not see this output.

You should ALWAYS exit(); after a redirect.

Look at the recommended usage here: (They all use exit)
http://www.php.net/header
0
 
LVL 17

Author Comment

by:psimation
ID: 22844001
Damn - I better go check my other scripts!

I usually do other sanity checks as well - especially on sql operations, I'm actually kinda glad I spotted it here - else I would have been blissfully unaware!

Thanks to both!

One thing - is it possible for someone to bypass this and still see output  -with s special "browser" or even curl functions?
0
 
LVL 24

Expert Comment

by:glcummins
ID: 22844102
Yes, definitely. In fact, I discovered this behavior once quite by accident while testing my scripts. One common method that attackers use to break your application is to access it in unexpected ways.

As a test, I accessed my application via telnet, rather than via a browser. This application required a login. If the login failed, the user was redirected (via header()) to an error message page.

When I accessed the application via telnet, I was able to see where the header information was sent, but then the rest of the "protected" page was displayed as well! Inserting an exit() after the header() line fixed the problem.
0
 
LVL 17

Author Closing Comment

by:psimation
ID: 31511793
I have a sinking feeling in my stomach...

Anyways, thanks to both - your posts were almost at exactly the same time so i think it's only fair to split equally?
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question