16

I'm creating a script to validate a form and I was asking myself a question. When I use a header (see example below), do I need to use exit right after? I mean, does using header also means that it is exiting by default therefore I don't need to use the command exit?

// cancel button clicked
if (isset($_POST['cancel'])) {
  header("Location: http://localhost/admin/tracks.php");
  exit;
}

echo '<p>$name</p>'
ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
Marco
  • 213
  • 3
  • 5
  • I think you don't need to. When the header is sent, you will be redirected and the script will stop the execution. – emco Apr 03 '11 at 05:51
  • 3
    @EmCo Not exactly true. See the example in my answer. – AgentConundrum Apr 03 '11 at 06:03
  • possible duplicate of [Why I have to call 'exit' after redirection through header('Location..') in PHP?](http://stackoverflow.com/questions/2747791/why-i-have-to-call-exit-after-redirection-through-headerlocation-in-php) – kapa Apr 30 '12 at 09:30

6 Answers6

24

You should call exit() because a header() won't automatically stop the script from executing - or if it does (I'm honestly not 100% on that), it definitely doesn't stop the script instantly.

For example, try this code:

<?php

  header("Location: http://www.google.com");
  unlink(__FILE__);

?>

This little script uses header() to redirect you to Google, and then deletes itself. If you run it, you'll notice that after you were redirected, the file was still deleted. This means that the unlink() call was still executed even though the header() call redirected you.

AgentConundrum
  • 20,288
  • 6
  • 64
  • 99
7

I use exit after the header->location call because I want to be able to rely ABSOLUTELY on the fact that the script won't get past the header->location call.

If there's a bug somewhere and your script starts generating output BEFORE the header->location call, the call will fail, and script execution will continue normally (unless you call exit)

Shad
  • 15,134
  • 2
  • 22
  • 34
  • 1
    Good point about the failed call. I hadn't even considered that possibility. – AgentConundrum Apr 03 '11 at 06:04
  • Your bug example is irrelevant. No bugs required for script to continue – Your Common Sense Apr 03 '11 at 06:21
  • @Shrapnel I didn't say one was _required_, I offered an example. Script execution does _not_ continue normally after a successful header->location call – Shad Apr 03 '11 at 06:25
  • @Shad: Actually, it does. See my answer for an example. Your first "Location" header doesn't even need to be the first one you send. You can set a Location header, do some processing, then send another one, and the user will be redirected to the last Location you specify. – AgentConundrum Apr 03 '11 at 06:32
  • @Shad oh, really? any reason for that? – Your Common Sense Apr 03 '11 at 06:43
  • @Agent that's not so true. Depends on time of that activity. – Your Common Sense Apr 03 '11 at 06:56
  • @Col. Shrapnel: I assume you're referring to the double-location headers? If so, you're absolutely right. You can only replace the header until the headers are sent. If you did location->echo->location, without any sort of output buffering, then the first location would be used because the Location header, along with all other headers, would automatically be sent before the echoed contents could be sent. Presumably the second one would also throw a "headers already sent" error as well, but nobody would see it since the browser would have already redirected away from your page. – AgentConundrum Apr 03 '11 at 07:22
  • Not knowing exactly _when_ your script will stop executing is not what I call _normal_ execution. – Shad Apr 03 '11 at 16:31
1

Although the answers above sound great, if you're unsure of your code path, this could lead to unexpected results. For example, if you're using a framework that relies on the fact that code execution will run from beginning to end, you may inadvertently interrupt it.

This might be okay from a user perspective as they will still be redirected and will be none the wiser, but consider the following:

You're using a framework (OS or custom) that is expecting to log redirects, or set additional headers (or any number of other items). By calling exit, you're circumventing that logic and therefore may get unexpected results.

So in short, yes the above methods will work, just a word of caution to know what you're expecting to happen before short circuiting it.

Demian Brecht
  • 21,135
  • 5
  • 42
  • 46
0

It does NOT stop your script from running, your script will keep on running and sometimes all a person (could be with bad intentions) needs is your script to reach a certain point where he could do X. Header() will just redirect, exit(); however will stop the script right on the spot (where exit(); is). or as someone else stated under the username:

Cody. A. Ray: Yes, the script continues to process after the call to header('Location: http://google.com') if you don't explicitly terminate it! I just tried this locally. I added test.php to a site in apache with these contents

<?php

 header('Location: http://google.com');
 error_log("WE MADE IT HERE SOMEHOW");

?>

And checked my /var/log/apache2/error_log for this entry:

 [Tue Feb 12 23:39:23 2013] [error] [client 127.0.0.1] WE MADE IT HERE SOMEHOW

so end conclusion: Header doesn't stop the script from running.

0

Output is generally not sent (depending on output buffering and so on) if you redirect like that, but as shown by the unlink() example the script does not die with header().

So the exit() or die() calls are necessary if you want to prevent the script from continuing after the redirect.

user268396
  • 11,576
  • 2
  • 31
  • 26
-2

does using header also means that it is exiting by default

How so? What if your header is not Location: one but Content-type: or Cache-control or whatever else?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345