Why I Have to Call 'Exit' After Redirection Through Header('Location..') in PHP

Why I have to call 'exit' after redirection through header('Location..') in PHP?

could the code after the header-location call be effectively executed?

Yes, always. The header is only a line of data asking the browser to redirect. The rest of the page will still be served by PHP and can be looked at by the client by simply preventing the header command from executing.

That is easy enough to do with a command-line client like wget, for example, by simply telling it not to follow redirects.

Bottom line: If you don't prevent it, PHP will send out the whole body even after a header call. That body is fully available to the recipient without any special hacking skills.

php - Why should I call exit() after calling Location: header?

The header is only a line of data asking the browser to redirect. The rest of the page will still be served by PHP and can be looked at by the client by simply preventing the header command from executing.

If you don't prevent it, PHP will send out the whole body even after a header call. That body is fully available to the recipient.

php - Should I call exit() after calling Location: header?

You definitely should. Otherwise the script execution is not terminated. Setting another header alone is not enough to redirect.

Will PHP script be executed after header redirect?

Yes, the script continues to process after the call to header('Location: http://google.com') if you don't explicitly terminate it! I just tried this locally. I added test.php to a site in apache with these contents:

<?php

header('Location: http://google.com');
error_log("WE MADE IT HERE SOMEHOW");

?>

And checked my /var/log/apache2/error_log for this entry:

[Tue Feb 12 23:39:23 2013] [error] [client 127.0.0.1] WE MADE IT HERE SOMEHOW

Possibly surprising, but yes, it continues to execute if you don't halt execution.

PHP: Utilizing exit(); or die(); after header(Location: );

I have been looking for an answer on this as well. What I found:

Why die() or exit():

If you don't put a die() or exit() after your header('Location: http://something') your script may continue resulting in unexpected behaviour. This may for example result in content being disclosed that you actually wanted to prevent with the redirect (HTTP 301). The aforementioned may not directly be visible for an end user as the browser may not render it (due to the 301). Conclusion, the exit() and die() functions stop the script from continuing.

Difference:

I also wanted to know the difference between the functions as it seems there is none. However, in PHP, there is a distinct difference in Header output.
In the examples below I chose to use a different header but for sake of showing the difference between exit() and die() that doesn't matter.

Exit() in action

<?php
    header('HTTP/1.1 304 Not Modified');
    exit();
?>

Results in:

HTTP/1.1 304 Not Modified 
Connection: Keep-Alive 
Keep-Alive: timeout=5, max=100

Die() in action

<?php
    header('HTTP/1.1 304 Not Modified');
    die();
?>

Results in:

HTTP/1.1 304 Not Modified 
Connection: close

Difference

So, die() closes the connection and exit() doesn't. It depends on performance whether or not you want to keep the connection open or close it. Both have advantages and disadvantages and depends on your specific requirement(s).

HTTP persistent connections on Wiki

Php header location redirect not working

Pekka answered my question in the comments. He didn't post an answer, so I am now. Use the exit() method after the header redirect. For some reason the rest of the code of the page continues to execute after the header() method redirect. When the rest of the code executes, the echo statement is outputted to the page. And you can't redirect using the header function after you output to the page. To avoid rest of the code from executing, use exit(). Thanks Pekka.

UPDATE: When using the web browser Internet Explorer, I have noticed that $_POST['cancel'] is not reliable. I am not exactly sure why this is, but I suspect IE posts additional variables on a form submit, specifically the variable 'cancel' is posted. I solved this by using a variable name other than 'cancel'. The combination of using exit() and a unique variable name is working for me.

When should I call header('Location') without die()?

A good example is explained in this PHP user note, copied here for posterity:

---

A simple but useful packaging of arr1's suggestion for continuing
processing after telling the the browser that output is finished.

I always redirect when a request requires some processing (so we don't
do it twice on refresh) which makes things easy...

<?php 
 function redirect_and_continue($sURL) 
 { 
  header( "Location: ".$sURL ) ; 
  ob_end_clean(); //arr1s code 
  header("Connection: close"); 
  ignore_user_abort(); 
  ob_start(); 
  header("Content-Length: 0"); 
  ob_end_flush(); 
  flush(); // end arr1s code 
  session_write_close(); // as pointed out by Anonymous 
 } 
?>

---

This is useful for tasks that take a long time, such as converting a video or scaling a big image.

header location not working in my php code

That is because you have an output:

?>
<?php

results in blank line output.

header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP

Combine all your PHP codes and make sure you don't have any spaces at the beginning of the file.

also after header('location: index.php'); add exit(); if you have any other scripts bellow.

Also move your redirect header after the last if.

If there is content, then you can also redirect by injecting javascript:

<?php
    echo "<script>window.location.href='target.php';</script>";
    exit;
?>

---

Related Topics