Will PHP script be executed after header redirect?

Question

Yes, this question has been asked before, however, the answers have been inconsistent. Take Why I have to call 'exit' after redirection through header('Location

Answer 1

The script will still run after the redirection is done. Although it may be useful sometimes, people who use header function have to be aware, that it can be dangerous. Look at this piece of very unsafe code:

No matter what some_secret you enter, you will always have a cookie with value logged in. The only difference here is that the user will be redirected if wrong parameter value is given.

Solution: Use die() or exit() method to end the script immediately after redirection

This small correction will make our script working as we wanted to.

(I won't show another simple solution with else statement, as this is not really the way it should be done.)

---

You may think, that a user at least won't see the secret information you print on the screen. WRONG! Browser just makes a redirection, but it's up to us if we follow it.

In this example, I used a vulnerable code without die:

$ telnet 192.168.1.39 80
Trying 192.168.1.39...
Connected to 192.168.1.39.
Escape character is '^]'.
GET /test.php?some_secret=wrong
Some secret info!
Connection closed by foreign host.

As you can see, secret information leaked.

So, be aware, that header can be very unsafe!
...and remember to normally not store such data like passwords in plaintext or information like logged in in cookies