In a PHP program can header() redirects be counted on to end the program flow, or is there value in, for example, following them with a die() to be safe? Is it possible for the user to exploit the script by somehow forgoing the redirects? This question is crucial in a case where the user is redirected for not having sufficient access permissions and the code following is intended only for those who were not redirected.
No, header do not end the program execution. You must end it yourself with exit or die. You can try this yourself with something like this:
<?php file_put_contents('/tmp/test', '1'); header('Location: http://www.emilvikstrom.se/'); file_put_contents('/tmp/test', '2'); ?>
Check the content of
/tmp/test and you'll find that it is
I've also tried this script:
<?php header('Location: http://www.emilvikstrom.se/'); echo "Test\n"; ?>
together with telnet to send a manual HTTP request, with this result:
HTTP/1.1 302 Found Server: nginx/0.7.67 Date: Tue, 05 Jul 2011 07:27:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3-7+squeeze1 Location: http://www.emilvikstrom.se/ Vary: Accept-Encoding Content-Length: 5 Test
As you see, everything which is echoed after the Location header is still sent to the browser. In fact, PHP cannot know after a
header call if you are going to send it more headers, or if the things you echo out are of importance.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki