phppup Posted July 17, 2022 Share Posted July 17, 2022 I have a script that ends with mysqli_close($connection); [which I've been told is a "proper" methodology, although not a requirement] I've now decided to add an option of } else { header("Location: https://example.com"); } if conditions force the code to take this route, is the mysqli_close($connection); ever implemented? Is there a Best Practice for addressing this instance? Quote Link to comment https://forums.phpfreaks.com/topic/315054-does-redirect-end-the-script/ Share on other sites More sharing options...
ginerjm Posted July 17, 2022 Share Posted July 17, 2022 You don't have to close any db connections. PHP will do it all the time. Whenver you use that header line you should definitely add an exit() right after it. 1 Quote Link to comment https://forums.phpfreaks.com/topic/315054-does-redirect-end-the-script/#findComment-1598303 Share on other sites More sharing options...
gizmola Posted July 18, 2022 Share Posted July 18, 2022 16 hours ago, ginerjm said: Whenver you use that header line you should definitely add an exit() right after it. I want to 2nd what ginerjm wrote. It's very important to exit the script, because the sending of a location header does not guarantee the client will actually act upon it, so in some cases, this can be a security flas unless you exit. It is also possible for a PHP script to continue to run beyond the location header. For example, you could makes changes to a session variable or database. Quote Link to comment https://forums.phpfreaks.com/topic/315054-does-redirect-end-the-script/#findComment-1598321 Share on other sites More sharing options...
ginerjm Posted July 18, 2022 Share Posted July 18, 2022 Thanks for the promo Gizmola, but I probably learned that piece of advice from the very good people right here! Quote Link to comment https://forums.phpfreaks.com/topic/315054-does-redirect-end-the-script/#findComment-1598328 Share on other sites More sharing options...
kicken Posted July 18, 2022 Share Posted July 18, 2022 (edited) Years ago I did a security audit of a company's code. In their admin area they had code to check for admin rights like: if (!$_SESSION['isAdmin']){ header('Location: /login.php'); } //Do the admin stuff. No exit. It appeared to work fine at first glance, the user was redirect to the login page if they were not an admin user. I highlighted this and told them they had to add the exit or some other way of stopping the script. I demonstrated this by directly loading one of their admin pages to delete a piece of content while not being logged in. I got sent to the login page as expected, but the selected piece of content was also unexpectedly deleted from the database. So while a person couldn't just casually browse the admin area, if they knew the proper URLs and request data they could still essentially do whatever they wanted because of that missing exit call. Edited July 18, 2022 by kicken Quote Link to comment https://forums.phpfreaks.com/topic/315054-does-redirect-end-the-script/#findComment-1598334 Share on other sites More sharing options...
.thumb.jpeg.5da54518df0b69c737e8dabbcace30bb.jpeg)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.