Does PHP Code Execute After a `header('Location: ...')` Redirect, and How Can This Be Prevented?

Avoiding Execution of Post-Redirection Code in PHP

When performing redirections using the header('Location:..') function in PHP, it is a common practice to include an exit; statement afterwards to prevent execution of subsequent code. This raises the question of whether code after the header function can still be executed and, if so, in what scenarios.

Can Post-Redirection Code Execute?

Yes, code after the header function can still be executed. The header function only sends a request to the browser to redirect, but the rest of the page will still be served by PHP and can potentially be viewed by the client.

How to Prevent Code Execution

To avoid post-redirection code execution, the exit; statement must be used immediately after the header function. This ensures that all PHP execution stops and the server responds with the redirect header only.

Exploitation by Malicious Users

A malicious user can ignore the header call by using a command-line client like wget with the --no-redirect option. This allows them to view the page content that would have been served before the redirection.

Best Practice

Therefore, it is essential to always use the exit; statement after the header function to prevent execution of post-redirection code and protect against potential security vulnerabilities.

The above is the detailed content of Does PHP Code Execute After a `header('Location: ...')` Redirect, and How Can This Be Prevented?. For more information, please follow other related articles on the PHP Chinese website!