为什么我必须在通过 PHP 中的 header('Location..') 重定向后调用'exit'? [英] Why I have to call 'exit' after redirection through header('Location..') in PHP?

问题描述

你知道如果你想在 PHP 中重定向用户，你可以使用 header 函数:

You know that if you want to redirect an user in PHP you can use the header function:

header('Location: http://smowhere.com');

众所周知，在 header 调用之后也放置一个 exit; 是一个很好的做法，以防止执行其他 php 代码.所以我的问题是:header-location 调用之后的代码能否有效执行?在哪些情况下?恶意用户能否完全忽略 header('Location..') 调用?怎么样?

It is also well known that it is a good practice to put also an exit; after the header call, to prevent execution of other php code. So my question is: could the code after the header-location call be effectively executed? In which cases? Can a malicious user be able to completely ignore the header('Location..') call? How?

推荐答案

header-location 调用后的代码能否有效执行?

could the code after the header-location call be effectively executed?

是的，总是.header 只是一行数据要求浏览器重定向.页面的其余部分仍然由 PHP 提供，客户​​端可以通过简单地阻止 header 命令的执行来查看.

Yes, always. The header is only a line of data asking the browser to redirect. The rest of the page will still be served by PHP and can be looked at by the client by simply preventing the header command from executing.

对于像 wget 这样的命令行客户端来说，这很容易做到，例如，只需告诉它不要跟随重定向即可.

That is easy enough to do with a command-line client like wget, for example, by simply telling it not to follow redirects.

底线:如果你不阻止它，即使在一个header调用之后，PHP也会发送整个body.该机构完全可供接收者使用，无需任何特殊的黑客技能.

Bottom line: If you don't prevent it, PHP will send out the whole body even after a header call. That body is fully available to the recipient without any special hacking skills.

这篇关于为什么我必须在通过 PHP 中的 header('Location..') 重定向后调用'exit'?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！