do I need to use exit after header(“Location: http://localhost/…”);?

Question

I\'m creating a script to validate a form and I was asking myself a question. When I use a header (see example below), do I need to use exit right after? I mean, does using head

Answer 1

Output is generally not sent (depending on output buffering and so on) if you redirect like that, but as shown by the unlink() example the script does not die with header().

So the exit() or die() calls are necessary if you want to prevent the script from continuing after the redirect.

Answer 2

does using header also means that it is exiting by default

How so? What if your header is not Location: one but Content-type: or Cache-control or whatever else?

Answer 3

You should call exit() because a header() won't automatically stop the script from executing - or if it does (I'm honestly not 100% on that), it definitely doesn't stop the script instantly.

For example, try this code:

<?php

  header("Location: http://www.google.com");
  unlink(__FILE__);

?>

This little script uses header() to redirect you to Google, and then deletes itself. If you run it, you'll notice that after you were redirected, the file was still deleted. This means that the unlink() call was still executed even though the header() call redirected you.

Answer 4

It does NOT stop your script from running, your script will keep on running and sometimes all a person (could be with bad intentions) needs is your script to reach a certain point where he could do X. Header() will just redirect, exit(); however will stop the script right on the spot (where exit(); is). or as someone else stated under the username:

Cody. A. Ray: Yes, the script continues to process after the call to header('Location: http://google.com') if you don't explicitly terminate it! I just tried this locally. I added test.php to a site in apache with these contents

<?php

 header('Location: http://google.com');
 error_log("WE MADE IT HERE SOMEHOW");

?>

And checked my /var/log/apache2/error_log for this entry:

 [Tue Feb 12 23:39:23 2013] [error] [client 127.0.0.1] WE MADE IT HERE SOMEHOW

so end conclusion: Header doesn't stop the script from running.

Answer 5

Although the answers above sound great, if you're unsure of your code path, this could lead to unexpected results. For example, if you're using a framework that relies on the fact that code execution will run from beginning to end, you may inadvertently interrupt it.

This might be okay from a user perspective as they will still be redirected and will be none the wiser, but consider the following:

You're using a framework (OS or custom) that is expecting to log redirects, or set additional headers (or any number of other items). By calling exit, you're circumventing that logic and therefore may get unexpected results.

So in short, yes the above methods will work, just a word of caution to know what you're expecting to happen before short circuiting it.

Answer 6

I use exit after the header->location call because I want to be able to rely ABSOLUTELY on the fact that the script won't get past the header->location call.

If there's a bug somewhere and your script starts generating output BEFORE the header->location call, the call will fail, and script execution will continue normally (unless you call exit)