Home/ Questions/Q 6111119
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T14:35:37+00:00

In a PHP program can header() redirects be counted on to end the program

  • 0

In a PHP program can header() redirects be counted on to end the program flow, or is there value in, for example, following them with a die() to be safe? Is it possible for the user to exploit the script by somehow forgoing the redirects? This question is crucial in a case where the user is redirected for not having sufficient access permissions and the code following is intended only for those who were not redirected.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, header do not end the program execution. You must end it yourself with exit or die. You can try this yourself with something like this:

    <?php
file_put_contents('/tmp/test', '1');
header('Location: http://www.emilvikstrom.se/');
file_put_contents('/tmp/test', '2');
?>

    Check the content of /tmp/test and you’ll find that it is 2.

    I’ve also tried this script:

    <?php
header('Location: http://www.emilvikstrom.se/');
echo "Test\n";
?>

    together with telnet to send a manual HTTP request, with this result:

    HTTP/1.1 302 Found
Server: nginx/0.7.67
Date: Tue, 05 Jul 2011 07:27:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze1
Location: http://www.emilvikstrom.se/
Vary: Accept-Encoding
Content-Length: 5

Test

    As you see, everything which is echoed after the Location header is still sent to the browser. In fact, PHP cannot know after a header call if you are going to send it more headers, or if the things you echo out are of importance.

    • 0