You know that if you want to redirect an user in PHP you can use the header function:
你知道如果你想重定向一个用户在PHP中你可以使用头函数:
header('Location: http://smowhere.com');
It is also well known that it is a good practice to put also an exit;
after the header
call, to prevent execution of other php code. So my question is: could the code after the header-location call be effectively executed? In which cases? Can a malicious user be able to completely ignore the header('Location..')
call? How?
众所周知,把它也放出来也是一种很好的做法;在头调用之后,防止执行其他php代码。所以我的问题是:头-位置调用之后的代码能否有效地执行?在这种情况下吗?恶意用户可以完全忽略header(“Location..”)调用吗?如何?
6 个解决方案
#1
55
could the code after the header-location call be effectively executed?
头-位置调用后的代码能否有效地执行?
Yes, always. The header
is only a line of data asking the browser to redirect. The rest of the page will still be served by PHP and can be looked at by the client by simply preventing the header
command from executing.
是的,总是这样。页眉仅仅是请求浏览器重定向的一行数据。页面的其余部分仍然由PHP提供,客户端可以通过简单地阻止header命令的执行来查看。
That is easy enough to do with a command-line client like wget
, for example, by simply telling it not to follow redirects.
这对于像wget这样的命令行客户机来说非常简单,只需告诉它不要跟随重定向。
Bottom line: If you don't prevent it, PHP will send out the whole body even after a header
call. That body is fully available to the recipient without any special hacking skills.
底线:如果您不阻止它,PHP将发送整个主体,即使在头调用之后。不需要任何特殊的黑客技能,接受者完全可以使用这个身体。
#2
25
If you redirect but you don't die()
/ exit()
the code is always executed and displayed.
如果重定向,但没有die() / exit(),则始终执行和显示代码。
Take the following example:
下面的例子:
admin.php:
admin.php:
if (authenticationFails)
{
// redirect and don't die
}
// show admin stuff
If you don't make sure to end the execution after the location header every user will gain access.
如果您不能确保在位置标头之后结束执行,那么每个用户都将获得访问权。
#3
8
header()
instructs PHP that a HTTP header should be sent... When the HTTP headers are sent.
header()指示PHP应该发送一个HTTP报头……发送HTTP报头时。
And those are not sent immediatly when you write the call to header(), but when it's time to send them (typically, when PHP needs to begin sending the body of the response -- which might be later than you think, when output_buffering
is enabed).
当您将调用写入header()时,并没有立即发送这些消息,但是在发送它们的时候(通常,当PHP需要开始发送响应的主体时,当output_buffering被启用时,它可能比您认为的要晚一些)。
So, if you just call header()
, there is absolutly ne guarantee that the code written after this statement is not executed -- unless you indicate that it must not, by using exit
/die
.
因此,如果您只是调用header(),那么绝对可以保证在此语句之后编写的代码不会被执行——除非您指出它不能使用exit/die。
The user can ignore the Location
header if he wants ; but it will not change anything on the fact that the code after the call of header()
might or might not be executed : that matter is server-side.
如果用户需要,可以忽略位置标头;但是它不会改变任何事实,即在调用header()之后的代码可能会执行,也可能不会执行:这是服务器端问题。
#4
1
PHP Code after a header() will be run. Sometimes, that is required though, as the example on php.net shows. To make sure it's not, you end the program flow entirely.
将在header()之后运行PHP代码。但有时这是必需的,就像php.net上的示例所示。为了确保它不是,您完全终止程序流。
#5
1
re: could the code after the header-location call be effectively executed?
re: header-location调用后的代码能否有效执行?
Yes if you don't close the script.
是的,如果你不关闭脚本。
re: In which cases?
再保险:在这种情况下吗?
In every case.
在每一个案例。
Can a malicious user be able to completely ignore the header('Location..') call?
恶意用户可以完全忽略header(“Location..”)调用吗?
No, it will get exacted the user has no say in the matter.
不,它会被要求用户在这件事上没有发言权。
#6
1
Without the exit call, the exact point/time at which your script will terminate will come down to two factors:
如果没有退出调用,您的脚本将终止的确切点/时间将归结为两个因素:
- How quickly the client browser reacts to the redirect
- 客户机浏览器对重定向的反应有多快
- How much time it takes the rest of your script to execute.
- 执行脚本剩下的时间。
Let's say the browser IMMEDIATELY starts the redirect action the moment it sees the Location header come through. That means it will shut down the connection from which the redirect comes, so it can start connecting to the new location. This generally means the web server will terminate the redirecting script. However long it takes for the header to go from server->client and the TCP link shutdown process to go from client->server is the amount of time in which your script can keep running.
假设浏览器在看到位置标头时立即启动重定向操作。这意味着它将关闭重定向来自的连接,因此它可以开始连接到新的位置。这通常意味着web服务器将终止重定向脚本。无论头从服务器到>客户端需要多长时间,从客户端到TCP链接关闭过程需要多长时间,>服务器都是脚本可以持续运行的时间。
#1
55
could the code after the header-location call be effectively executed?
头-位置调用后的代码能否有效地执行?
Yes, always. The header
is only a line of data asking the browser to redirect. The rest of the page will still be served by PHP and can be looked at by the client by simply preventing the header
command from executing.
是的,总是这样。页眉仅仅是请求浏览器重定向的一行数据。页面的其余部分仍然由PHP提供,客户端可以通过简单地阻止header命令的执行来查看。
That is easy enough to do with a command-line client like wget
, for example, by simply telling it not to follow redirects.
这对于像wget这样的命令行客户机来说非常简单,只需告诉它不要跟随重定向。
Bottom line: If you don't prevent it, PHP will send out the whole body even after a header
call. That body is fully available to the recipient without any special hacking skills.
底线:如果您不阻止它,PHP将发送整个主体,即使在头调用之后。不需要任何特殊的黑客技能,接受者完全可以使用这个身体。
#2
25
If you redirect but you don't die()
/ exit()
the code is always executed and displayed.
如果重定向,但没有die() / exit(),则始终执行和显示代码。
Take the following example:
下面的例子:
admin.php:
admin.php:
if (authenticationFails)
{
// redirect and don't die
}
// show admin stuff
If you don't make sure to end the execution after the location header every user will gain access.
如果您不能确保在位置标头之后结束执行,那么每个用户都将获得访问权。
#3
8
header()
instructs PHP that a HTTP header should be sent... When the HTTP headers are sent.
header()指示PHP应该发送一个HTTP报头……发送HTTP报头时。
And those are not sent immediatly when you write the call to header(), but when it's time to send them (typically, when PHP needs to begin sending the body of the response -- which might be later than you think, when output_buffering
is enabed).
当您将调用写入header()时,并没有立即发送这些消息,但是在发送它们的时候(通常,当PHP需要开始发送响应的主体时,当output_buffering被启用时,它可能比您认为的要晚一些)。
So, if you just call header()
, there is absolutly ne guarantee that the code written after this statement is not executed -- unless you indicate that it must not, by using exit
/die
.
因此,如果您只是调用header(),那么绝对可以保证在此语句之后编写的代码不会被执行——除非您指出它不能使用exit/die。
The user can ignore the Location
header if he wants ; but it will not change anything on the fact that the code after the call of header()
might or might not be executed : that matter is server-side.
如果用户需要,可以忽略位置标头;但是它不会改变任何事实,即在调用header()之后的代码可能会执行,也可能不会执行:这是服务器端问题。
#4
1
PHP Code after a header() will be run. Sometimes, that is required though, as the example on php.net shows. To make sure it's not, you end the program flow entirely.
将在header()之后运行PHP代码。但有时这是必需的,就像php.net上的示例所示。为了确保它不是,您完全终止程序流。
#5
1
re: could the code after the header-location call be effectively executed?
re: header-location调用后的代码能否有效执行?
Yes if you don't close the script.
是的,如果你不关闭脚本。
re: In which cases?
再保险:在这种情况下吗?
In every case.
在每一个案例。
Can a malicious user be able to completely ignore the header('Location..') call?
恶意用户可以完全忽略header(“Location..”)调用吗?
No, it will get exacted the user has no say in the matter.
不,它会被要求用户在这件事上没有发言权。
#6
1
Without the exit call, the exact point/time at which your script will terminate will come down to two factors:
如果没有退出调用,您的脚本将终止的确切点/时间将归结为两个因素:
- How quickly the client browser reacts to the redirect
- 客户机浏览器对重定向的反应有多快
- How much time it takes the rest of your script to execute.
- 执行脚本剩下的时间。
Let's say the browser IMMEDIATELY starts the redirect action the moment it sees the Location header come through. That means it will shut down the connection from which the redirect comes, so it can start connecting to the new location. This generally means the web server will terminate the redirecting script. However long it takes for the header to go from server->client and the TCP link shutdown process to go from client->server is the amount of time in which your script can keep running.
假设浏览器在看到位置标头时立即启动重定向操作。这意味着它将关闭重定向来自的连接,因此它可以开始连接到新的位置。这通常意味着web服务器将终止重定向脚本。无论头从服务器到>客户端需要多长时间,从客户端到TCP链接关闭过程需要多长时间,>服务器都是脚本可以持续运行的时间。