Will PHP script be executed after header redirect?

前端未结

关注

 10  2052

Yes, this question has been asked before, however, the answers have been inconsistent. Take Why I have to call 'exit' after redirection through header('Location

相关标签:

10条回答

暗喜

2020-12-03 14:01
The script will still run after the redirection is done. Although it may be useful sometimes, people who use header function have to be aware, that it can be dangerous. Look at this piece of very unsafe code:
```
<?php
if($_GET['some_secret'] != '123') {
    setcookie("status", "not logged in");
    header("Location: /");
}
setcookie("status", "logged in");

echo("Some secret info!")
?>
```
No matter what some_secret you enter, you will always have a cookie with value logged in. The only difference here is that the user will be redirected if wrong parameter value is given.

Solution: Use die() or exit() method to end the script immediately after redirection

This small correction will make our script working as we wanted to.
```
<?php
if($_GET['some_secret'] != '123') {
    setcookie("status", "not logged in");
    header("Location: /");
    die();
}
setcookie("status", "logged in");

echo("Some secret info!")
?>
```
(I won't show another simple solution with else statement, as this is not really the way it should be done.)

You may think, that a user at least won't see the secret information you print on the screen. WRONG! Browser just makes a redirection, but it's up to us if we follow it.

In this example, I used a vulnerable code without die:
```
$ telnet 192.168.1.39 80
Trying 192.168.1.39...
Connected to 192.168.1.39.
Escape character is '^]'.
GET /test.php?some_secret=wrong
Some secret info!
Connection closed by foreign host.
```
As you can see, secret information leaked.

So, be aware, that header can be very unsafe!
...and remember to normally not store such data like passwords in plaintext or information like logged in in cookies
0 讨论(0)
发布评论:

提交评论
- 加载中...
感动是毒

2020-12-03 14:02

USECASE SCENARIO: Redirect users to captive portal then start a countdown timer to write them off the block list after x minutes.

0 讨论(0)
发布评论:

提交评论
- 加载中...
清酒与你

2020-12-03 14:09

Yes, it will be executed for short amount of time.

Once the redirect header is sent to the browser, the browser will close the current connection and open a new one for the redirect URL. Until that original connection is closed and Apache shuts down the script, your code will continue to execute as before.

In theory, if there was a sufficiently fast connection between the client/server, and there was no buffering anywhere in the pipeline, issuing the header would cause the script to be terminated immediately. In reality, it can be anywhere between "now" and "never" for the shutdown to be initiated.

Read more

0 讨论(0)
发布评论:

提交评论
- 加载中...
名媛妹妹

2020-12-03 14:09
yes yes yes, header is like any other part of the php script, it will be sent after the script execution completed, however, the trick is: if we want to redirect to new URL: then why continue executing scripts after header("location: url"); ?>
```
<?php
header('Location: test.php');
header('Location: test.php');
header('Location: test.php');
header('Location: test.php');
header('Location: test.php');
header('Location: test.php');
header('Location: test.php');

$var = 'google.com';
header("Location: http://$var");

?> 
```
0 讨论(0)
发布评论:

提交评论
- 加载中...

上一页 1 2