Login/Register
PHP: Utilizing exit(); or die(); after header("Location: "); [duplicate]
Asked Answered
Solved phpexitdie
P

6

20

I have a user login/registration system that simply uses

// execute queries, set cookies, etc. here
header("Location: " . getenv("HTTP_REFERER"));

I recently read a post about exit(); and die(); and had no idea that I was supposed to be using these. From what I understand, they make it end the PHP? Is that correct? What's the best way I can work toward this, simply adding one of these functions directly after ever header(); execution I have?

I have AJAX, jQuery reading through my login.php/register.php, will this be affect in any way?

Edit: Other than after header();, where else should I be usitilizing the exit(); or die(); functions? And is exit(); more used around PHP whereas die(); more used around Perl?

Pfeifer answered 29/12, 2011 at 9:26 Comment(5)
What do you mean by 'AJAX reading through your register.php'? Can you post some code?Bores
My register.php checks if a form was submitted to it, then reads through the inputs, and using AJAX $.post(); it returns any errors found in register.php into the HTML for the user to see.Pfeifer
It doesn't particularly matter if you use die or exit as long as you use one of them.Lefler
I tend to use exit when it's part of a normal script behavior and die when debugging. I have seen others use this convention too. They do the same thing, but the convention is useful.Equidistant
I like one-liners so die(header("location: {$url}"));.Infusive
F
40

I have been looking for an answer on this as well. What I found:

Why die() or exit():

If you don't put a die() or exit() after your header('Location: http://something') your script may continue resulting in unexpected behaviour. This may for example result in content being disclosed that you actually wanted to prevent with the redirect (HTTP 301). The aforementioned may not directly be visible for an end user as the browser may not render it (due to the 301). Conclusion, the exit() and die() functions stop the script from continuing.

Difference:

I also wanted to know the difference between the functions as it seems there is none. However, in PHP, there is a distinct difference in Header output. In the examples below I chose to use a different header but for sake of showing the difference between exit() and die() that doesn't matter.

Exit() in action

<?php
    header('HTTP/1.1 304 Not Modified');
    exit();
?>

Results in:

HTTP/1.1 304 Not Modified 
Connection: Keep-Alive 
Keep-Alive: timeout=5, max=100

Die() in action

<?php
    header('HTTP/1.1 304 Not Modified');
    die();
?>

Results in:

HTTP/1.1 304 Not Modified 
Connection: close

Difference

So, die() closes the connection and exit() doesn't. It depends on performance whether or not you want to keep the connection open or close it. Both have advantages and disadvantages and depends on your specific requirement(s).

HTTP persistent connections on Wiki

Footrest answered 5/1, 2014 at 10:31 Comment(6)
My HTTP knowledge is a bit hazy at this stage of the semester - when we pull a 301, the browser will (usually; i.e. a correct spec one) close the connection and open another get request, will it not? Or will it use the existing connection to request again?Nimesh
You can also join it with exit(header('Location: xxxxx.php'));Sigil
exit and die are identicalNeoplatonism
Just tested it and exit and die work the same way, they both close connection.Gravamen
Downvoted, since die and exit truly are identical.Infusive
php.net/manual/en/function.die.php Die() is equivalent to exit(). Does it close connection or not, depends on other conditions.Candlepower
W
11

http://php.net/manual/en/function.exit.php

http://php.net/manual/en/function.die.php

This functions are used to interrupt script execution. You need to use exit or die to stop execution of your script after header("Location: " . getenv("HTTP_REFERER"));, because, in other case, your script will be executed till the end, what can cause some unexpected behavior.

Wakerobin answered 29/12, 2011 at 9:32 Comment(0)
C
4

Answer has already been accepted however it seems everyone is missing the glaring WTF in the question:

header("Location: " . getenv("HTTP_REFERER"));

  1. Returning a referer is optional on the part of the user agent

  2. it can easily be faked

  3. there is no method for telling the user the login has failed

  4. there is no HTTP semantic communication of an authentication failure

  5. while the environment variable HTTP_REFERER should be the same as the request header variable, it is not specified in RFC 3875, therefore even where presented to the webserver in the request, getenv("HTTP_REFERER") may return a different value

Carmagnole answered 29/12, 2011 at 13:8 Comment(2)
In my login.php I have it check if a user has successfully logged in with proper credentials - if so it will set a cookie - then header("Location"); to the referral page. In this way, no matter where they are on the site, when the logon, it will take them back to the page they logged in at instead of taking them to the main page or login.php. Is there a better method than this then?Pfeifer
Drop a cookie with the intended page URL before rendering the login page, or pass the URL as a $_GET var, or store the intended URL in the sessionCarmagnole
H
2

Ok, it has been a long time since the last answer was given. Anyway :D somehow I stumbled across a similar prob and see what my solution was:

die( Header( "Location: mytarget.php?arg1=foobar" ) );

Two birds with one stone - seems to work for me.

Harty answered 20/3, 2017 at 23:4 Comment(1)
This will keep return value from header() function in a temporary variable, which is passed to die(). It works, because the return value from header() is always null. Another difference is that it doesn't allow debuggers to create breakpoints between die() and header() calls.Corabella
T
0
for($i = 0; $i < 10; $i++)
{
    if ($i == 2)
    {
        exit("\n Using exit(), We are done");
    }
}

Now let us look at the same example using die();

for($i = 0; $i < 10; $i++)
{
    if ($i == 2)
    {
        die("\n Using die(), We are done");
    }
}

The output for each of these will be: “Using exit(), We are done Using die(), We are done” respectively. Now let us try each of these to output a number.

for($i = 0; $i < 10; $i++)
{
    if ($i == 2)
    {
        exit(-1);
    }
}

Looking at the output for the same example using die();

for($i = 0; $i < 10; $i++)
{
    if ($i == 2)
    {
        die(-1);
    }
}

These examples were edited using a textpad editor. The output for both the above cases were “Tool completed with exit code -1”.

So, the honest answer to the question “What is difference between die() and exit() in php” IS – There is not a single visible difference between these two functions. They both are the same, one is the alias of the other. If at all any one of you can find a real visible difference then I would appreciate if you could post it in the comments section of this blog.

Toxinantitoxin answered 20/8, 2019 at 7:13 Comment(0)
P
-2

When header() is called at the end of a script, there's no need to call exit(), nor die() since:

The link to the server will be closed as soon as the execution of the script ends, unless it's closed earlier by explicitly calling mysql_close(). - php.net/function.mysql-connect

Psychodiagnosis answered 14/4, 2014 at 13:17 Comment(2)
It's absolutely crucial to exit or die after sending a Location header, since you cannot guarantee that your header will actually be respected. Have a good read about what can go wrong.Cracknel
The problem with not exiting after issuing a Location header is that the script may execute more statements that the engineer does not expect. The script may be terminated by the web server based on the browser stopping the page load, but that cannot be relied upon.Sphygmic

© 2022 - 2024 — McMap. All rights reserved.