after all stuff behind is run
immediately
Which is the case? Can anyone verify this?
Refer the following link.
http://php.net/manual/en/function.header.php
To make sure that a page is directly redirected, add a exit; after the header.
depends on the output_buffering setting
headers_sent() function can verify
If output buffering is disabled then it will be sent immediately. It must be sent before any other content (however you can perform processing logic before sending the header)
Depends on output buffering, but the PHP interpreter still only uses them after having interpreted all the code before, just like a normal function. Still, there must not be any HTML before a header(), or things will screw up.
Related
I need to redirect users if I don't want them to be able to access a certain page. How reliable is header('Location: ../acc/login.php'); for example? Can browsers ignore 302 errors, and is this the right way? Thanks in advance!
It depends a lot what you're trying to do. Technically spoken, header() is somewhat reliable. Only somewhat, because many PHP users have problems with it and to not get it to work.
PHP will prevent it from working if output has been already send to the browser. A drastic example:
<protected page content here>
<?php
header('Location: login-first.php');
exit();
?>
This would not work at all. You would eventually see even an error message with a warning.
Headers - by design - need to be send out before any other content (response body). They can not be send any longer if the response body has already started and PHP can't help you then in that case.
However, if you send headers before the response body, that function will work. Also the risk obviously to mess something up is not that drastic any longer, too:
<?php
header('Location: login-first.php');
exit();
?>
<protected page content here>
You can rely on header(), but make sure you called die(), exit() or return after that. Otherwise, script will continue its execution, which is potential security issue.
The browser can ignore header('Location: '); forwarding.
That is why you should always return after a call to a header() forward so the rest of your code does not execute should the browser not honor the forwarding.
It is the correct way to do things tho.
I would send the header command and then the exit command "exit()" (to stop running the php code on the server) before displaying the rest of the page. This way the user would never be sent the page content even if they ignored the 302 redirection.
And yes the user can ignore the 302 redirection:
http://www.webmasterworld.com/html/3604591.htm
header is 100% reliable.
However header('Location: ../acc/login.php') will be evaluated in the browser to a real location on your website, and ../acc/login.php wil not form a url that is valid!
<?
echo "lalala";
header("Location: http://www.google.com/");
If i put this in a plain php file and deliver over a standard apache2 server with mod-php (PHP Version 5.3.2-1ubuntu4.10) the redirect to google works.
<?
echo "lalala";
flush();
header("Location: http://www.google.com/");
this code does obviously not produce a working redirect.
My question is how the first code is beeing processed and why it works. Because I remember times when things like this were not possible. Is mod-php or apache intelligent enough to buffer the whole request and arrange headers before content?
And:
Can I rely on this if I make sure I don't flush the output manually? Because it would make my application much easier...
Output buffering is probably enabled by default. You should enable it manually if you want to rely on this functionality.
http://php.net/manual/en/function.ob-start.php
The header function ADDS an http common header to the HTTP response. So, the redirect is setted and the browser gets the 302 message before showing you the output.
flush orders php to send the http response already prepared at the point it is called. That's why the second code won't set the header (it must be setted before sending ANY output).
And, the PHP should not output a single thing until:
The script is processed (even if an error stops the parsing)
you set it to send the output somewhere in the script with flush()
Finally, check this on output control http://www.php.net/manual/en/intro.outcontrol.php
so apparently if you do this:
<?php
echo 'something';
header("Location: http://something/");
?>
it will not work because there is an output preceding the header...
is there any other alternative php redirection method that works straight from php without installing anything and in which it will still work even if there's an output preceding it so that I don't have to worry about making sure that there is no output before, etc...
not, unless you do something in javascript or html tags in the page that you output itself
if preceding output is a problem
you can also use output buffering, see ob_start, ob_get
to get around that
There is no other way to do a php redirect, but you can fool it to still work even with code prior. You would buffer the content and only output it if there is no redirect or reaches the end of the script. Note: this may be resource heavy in some cases.
ob_start()
....CONTENT...
ob_end_flush();
There are no ways in PHP except using header()... before output is sent (headers be already sent)...
You can either use meta refresh in HTML that is set at zero seconds, or javascript.
But I wouldn't recommend javascript as some will have it disabled.
You could use a meta refresh tag.
You understand why this is impossible, right?
As soon as you echo "something" you have sent content to the client, and as part of that client headers were already sent. You can't retroactively modify headers you already sent, and you can't make two responses to one HTTP request.
ob_start() and ob_end_flush() will buffer the output instead of sending it to the client, which will allow you to get around this problem, BUT
a better solution would be to:
separate your logic code from your template so that you don't write anything to the screen until you already know you aren't going to redirect.
I'm trying to understand how I would implement the post/redirect/get pattern if my handler page where everything is $_POST'd to requires session data (checking if the user is logged in, lets say)
I can't call: header("Location /somenewplace", 303); because I'd get a 'Cannot modify headers' error, as I've already called session_start() to get the session data.
Can someone help me understand this pattern a bit better, should your handler require interacting with session data?
Thank you,
Usually when I get that error its because something has already been outputted to the user. You cannot output any data before calling header(). Check to see if you are printing/echoing anything before header is called. Also check your closing tags on your scripts, if you have a space after a closing tag ?> php will output that to the user and set the headers.
There is something wrong in your code. The session_start() shouldn't send the headers. Use PHP output buffering to ensure no output is sent.
A call to session_start() should only modify the headers. You probably outputted some data somewhere else in your script. When PHP gives you the message 'Cannot modify headers' it usually tells you on which line the output was started.
So sessions should not prevent you from doing any redirects or other things.
Check out using ob_start() and ob_end_flush() to use output buffering.
I wrote
<?
header("Location:http://example.com");
?>
but Redirect is not occured.
How to redirect?
But I do not have authority to edit php.ini
So safe_mode is on in php.ini
Try:
header("Location: http://example.com");
HTTP headers need to exactly follow the spec. More directly here (Location header):
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30
One possible issue is that there was something got "printed out" before you issue the above code. So check your code so that there is nothing got "echoed" before reached this line.
Two things:
You have to make sure you haven't sent any other HTML before sending your header.
You should also exit or die() after your header() call.
See this post for more detailed information.
You can also use JavaScript to do the redirect but I suspect PHP is probably a better idea in your situation.
Make sure you alway add die() after the header() call. This is extremely important if anything is output below the header() that the user is not supposed to see.
Make sure you have nothing prior to the opening "
If that still doesn't work, are you getting any sort of error message?
Alternatively, use:
<meta http-equiv="refresh" content="0;url=http://foo.com">
somewhere in your <head> section.
Source.