Solved

header("Location: xxx.php") does not stop script?

Posted on 2008-10-30
5
573 Views
Last Modified: 2010-04-21
Hi

I put a very simple "error check" in my code:

if($error){
header ("Location: error.php?error=$error");
}

And below that is plenty of code, and in particular, some sql code to insert data into the DB.

I noticed that when I run the code and cause $error to be true, then I get redirected to the error.php page correctly along with the get variable, BUT, I noticed that the SQL also got executed??

Is this "expected" behaviour?

I added and "exit();" into my error if statement, and it works now, but I was always under the impression that redirecting from the code will break execution of everything below???

Should I ALWAYS have an exit(); after a header redirect?
0
Comment
Question by:psimation
  • 2
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
glcummins earned 250 total points
ID: 22843950
Yes, this is expected behavior, and yes, you should (almost) always use exit() after a header("Location...") call.

When you use header(), you are simply instructing your script to send output to the user's browser. However, this is a special kind of output which the user never sees. For example, the web server automatically sends the document type and last modification date in the header. The user never sees this, but the user's browser does and processes it as needed.

When you send header("Location..."), you are simply telling the user's browser to go somewhere else. However, *nothing* is sent to the user's browser until your script ends. The entire script processes, and then the output is sent to the browser.

Therefore, if you want the redirect to happen immediately, you must use exit() after the header() call.
0
 
LVL 16

Assisted Solution

by:hankknight
hankknight earned 250 total points
ID: 22843962
PHP scripts do indeed continue to be executed after a header redirect.

A header redirect ONLY gives instructions to the browser to move on.

PHP will actually continue to output content after sending a header redirect.  But because the browser has already moved on the visitor does not see this output.

You should ALWAYS exit(); after a redirect.

Look at the recommended usage here: (They all use exit)
http://www.php.net/header
0
 
LVL 17

Author Comment

by:psimation
ID: 22844001
Damn - I better go check my other scripts!

I usually do other sanity checks as well - especially on sql operations, I'm actually kinda glad I spotted it here - else I would have been blissfully unaware!

Thanks to both!

One thing - is it possible for someone to bypass this and still see output  -with s special "browser" or even curl functions?
0
 
LVL 24

Expert Comment

by:glcummins
ID: 22844102
Yes, definitely. In fact, I discovered this behavior once quite by accident while testing my scripts. One common method that attackers use to break your application is to access it in unexpected ways.

As a test, I accessed my application via telnet, rather than via a browser. This application required a login. If the login failed, the user was redirected (via header()) to an error message page.

When I accessed the application via telnet, I was able to see where the header information was sent, but then the rest of the "protected" page was displayed as well! Inserting an exit() after the header() line fixed the problem.
0
 
LVL 17

Author Closing Comment

by:psimation
ID: 31511793
I have a sinking feeling in my stomach...

Anyways, thanks to both - your posts were almost at exactly the same time so i think it's only fair to split equally?
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Introduction Many web sites contain image galleries; a common design for these galleries includes a page with a collection of thumbnail images.  You can click on each of the thumbnail images to see the larger version of the image.  This is easily i…
Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now