• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 600
  • Last Modified:

header("Location: xxx.php") does not stop script?

Hi

I put a very simple "error check" in my code:

if($error){
header ("Location: error.php?error=$error");
}

And below that is plenty of code, and in particular, some sql code to insert data into the DB.

I noticed that when I run the code and cause $error to be true, then I get redirected to the error.php page correctly along with the get variable, BUT, I noticed that the SQL also got executed??

Is this "expected" behaviour?

I added and "exit();" into my error if statement, and it works now, but I was always under the impression that redirecting from the code will break execution of everything below???

Should I ALWAYS have an exit(); after a header redirect?
0
psimation
Asked:
psimation
  • 2
  • 2
2 Solutions
 
glcumminsCommented:
Yes, this is expected behavior, and yes, you should (almost) always use exit() after a header("Location...") call.

When you use header(), you are simply instructing your script to send output to the user's browser. However, this is a special kind of output which the user never sees. For example, the web server automatically sends the document type and last modification date in the header. The user never sees this, but the user's browser does and processes it as needed.

When you send header("Location..."), you are simply telling the user's browser to go somewhere else. However, *nothing* is sent to the user's browser until your script ends. The entire script processes, and then the output is sent to the browser.

Therefore, if you want the redirect to happen immediately, you must use exit() after the header() call.
0
 
hankknightCommented:
PHP scripts do indeed continue to be executed after a header redirect.

A header redirect ONLY gives instructions to the browser to move on.

PHP will actually continue to output content after sending a header redirect.  But because the browser has already moved on the visitor does not see this output.

You should ALWAYS exit(); after a redirect.

Look at the recommended usage here: (They all use exit)
http://www.php.net/header
0
 
psimationAuthor Commented:
Damn - I better go check my other scripts!

I usually do other sanity checks as well - especially on sql operations, I'm actually kinda glad I spotted it here - else I would have been blissfully unaware!

Thanks to both!

One thing - is it possible for someone to bypass this and still see output  -with s special "browser" or even curl functions?
0
 
glcumminsCommented:
Yes, definitely. In fact, I discovered this behavior once quite by accident while testing my scripts. One common method that attackers use to break your application is to access it in unexpected ways.

As a test, I accessed my application via telnet, rather than via a browser. This application required a login. If the login failed, the user was redirected (via header()) to an error message page.

When I accessed the application via telnet, I was able to see where the header information was sent, but then the rest of the "protected" page was displayed as well! Inserting an exit() after the header() line fixed the problem.
0
 
psimationAuthor Commented:
I have a sinking feeling in my stomach...

Anyways, thanks to both - your posts were almost at exactly the same time so i think it's only fair to split equally?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now