In a PHP program can header() redirects be counted on to end the program flow, or is there value in, for example, following them with a die() to be safe? Is it possible for the user to exploit the script by somehow forgoing the redirects? This question is crucial in a case where the user is redirected for not having sufficient access permissions and the code following is intended only for those who were not redirected.

Comments

You should use exit() or die after your header

Written by Hamid Seyyedi

To get a list which headers have been currently set, see headers_list()

Written by hakre

Accepted Answer

No, header do not end the program execution. You must end it yourself with exit or die. You can try this yourself with something like this:

<?php
file_put_contents('/tmp/test', '1');
header('Location: http://www.emilvikstrom.se/');
file_put_contents('/tmp/test', '2');
?>

Check the content of /tmp/test and you'll find that it is 2.

I've also tried this script:

<?php
header('Location: http://www.emilvikstrom.se/');
echo "Test\n";
?>

together with telnet to send a manual HTTP request, with this result:

HTTP/1.1 302 Found
Server: nginx/0.7.67
Date: Tue, 05 Jul 2011 07:27:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze1
Location: http://www.emilvikstrom.se/
Vary: Accept-Encoding
Content-Length: 5

Test

As you see, everything which is echoed after the Location header is still sent to the browser. In fact, PHP cannot know after a header call if you are going to send it more headers, or if the things you echo out are of importance.

Written by Emil Vikström
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki