In a PHP program can header() redirects be counted on to end the program flow, or is there value in, for example, following them with a die() to be safe? Is it possible for the user to exploit the script by somehow forgoing the redirects? This question is crucial in a case where the user is redirected for not having sufficient access permissions and the code following is intended only for those who were not redirected.
No, header do not end the program execution. You must end it yourself with exit or die. You can try this yourself with something like this:
<?php
file_put_contents('/tmp/test', '1');
header('Location: http://www.emilvikstrom.se/');
file_put_contents('/tmp/test', '2');
?>
Check the content of /tmp/test
and you'll find that it is 2
.
I've also tried this script:
<?php
header('Location: http://www.emilvikstrom.se/');
echo "Test\n";
?>
together with telnet to send a manual HTTP request, with this result:
HTTP/1.1 302 Found
Server: nginx/0.7.67
Date: Tue, 05 Jul 2011 07:27:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze1
Location: http://www.emilvikstrom.se/
Vary: Accept-Encoding
Content-Length: 5
Test
As you see, everything which is echoed after the Location header is still sent to the browser. In fact, PHP cannot know after a header
call if you are going to send it more headers, or if the things you echo out are of importance.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With