Jump to content

Recommended Posts

I have a script that ends with mysqli_close($connection);  [which I've been told is a "proper" methodology, although not a requirement]

I've now decided to add an option of

} else {  header("Location: https://example.com"); }

if conditions force the code to take this route, is the mysqli_close($connection); ever implemented?

Is there a Best Practice for addressing this instance?

Link to comment
https://forums.phpfreaks.com/topic/315054-does-redirect-end-the-script/
Share on other sites

16 hours ago, ginerjm said:

 

Whenver you use that header line you should definitely add an exit() right after it.

I want to 2nd what ginerjm wrote.  It's very important to exit the script, because the sending of a location header does not guarantee the client will actually act upon it, so in some cases, this can be a security flas unless you exit.  It is also possible for a PHP script to continue to run beyond the location header.  For example, you could makes changes to a session variable or database.  

Years ago I did a security audit of a company's code.  In their admin area they had code to check for admin rights like:

if (!$_SESSION['isAdmin']){
   header('Location: /login.php');
}

//Do the admin stuff.

No exit.  It appeared to work fine at first glance, the user was redirect to the login page if they were not an admin user. 

I highlighted this and told them they had to add the exit or some other way of stopping the script.  I demonstrated this by directly loading one of their admin pages to delete a piece of content while not being logged in.  I got sent to the login page as expected, but the selected piece of content was also unexpectedly deleted from the database.  So while a person couldn't just casually browse the admin area, if they knew the proper URLs and request data they could still essentially do whatever they wanted because of that missing exit call.

 

Edited by kicken
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.