开发者

Can header() redirects be counted on to end the program flow?

In a PHP program can header() redirects be counted on to end the program flow, or is there value in, for example, following them with a die() to be safe? Is it possible for the user to exploit the script by somehow forgoing the redirects? This question is crucial in a case where the user is redirected for not having sufficient access permissions and the code 开发者_StackOverflow中文版following is intended only for those who were not redirected.


No, header do not end the program execution. You must end it yourself with exit or die. You can try this yourself with something like this:

<?php
file_put_contents('/tmp/test', '1');
header('Location: http://www.emilvikstrom.se/');
file_put_contents('/tmp/test', '2');
?>

Check the content of /tmp/test and you'll find that it is 2.

I've also tried this script:

<?php
header('Location: http://www.emilvikstrom.se/');
echo "Test\n";
?>

together with telnet to send a manual HTTP request, with this result:

HTTP/1.1 302 Found
Server: nginx/0.7.67
Date: Tue, 05 Jul 2011 07:27:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze1
Location: http://www.emilvikstrom.se/
Vary: Accept-Encoding
Content-Length: 5

Test

As you see, everything which is echoed after the Location header is still sent to the browser. In fact, PHP cannot know after a header call if you are going to send it more headers, or if the things you echo out are of importance.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜