Good morning community:
I am currently working on a system, the validation redirection, that is, after the system validates all the data entered and proceeds to give access to the system, I always did it in the small projects that I had worked on in this way:
header('Location: blablabla.php');
However recently a person mentioned that it was safer to do it this way:
header('Location: blablabla.php', true, 301);
exit();
I have been looking for documentation about true, 301 to see why and how safe it is and I really can't find any information on the web that satisfies me, I appeal to the community for their recommendations.
Happy day
First of all here is the PHP header manual , next here is the HTTP "error code" .
I will explain, nothing on the page should load before or after a redirection, that's why it is used in "exit();", it is to stop the execution and make sure that another header redirection will not be executed for example.
In turn, as you'll notice from the aforementioned documentation, the error code pertains to let's say "a redirect notice" for the browser. Many browsers or browser add-ons detect multiple redirects and block them (due to suspicion of fraudulent sites or advertising abuse).
The "True" is really unnecessary, since it is the default value, you probably use it to "get" to the third argument, which is the error code, you could use "null" without changing the operation.
By default header sends the parameter
replace
(where true is sent) astrue
in case it is not indicated.According to its documentation :
According to the same example, it is possible to send several headers with the same name but with different values:
In the indicated example, 2 headers will be sent both with the value
Negotiate
andNTLM
. If you want only the headers to be sent as unique, indicatetrue
.Now, how this would be safer or not would depend on how you're handling headers in your application, something you didn't explain.
Depending on what you're doing, what they suggest is going to be better or just the same.
Why they say it's better: Because
header
it doesn't have to be the last command executed on your page. It may be the case that you have more PHP or HTML code after theheader
and it will be executed and sent to the browser. Let's see some scenarios in which not puttingexit
(ordie
) can change the result:header
, the browser may not redirect to the page you expect (it will redirect to the last one);header
, the code will continue to execute and the user will be able to see content that it shouldn't (although a good program structure would prevent this problem);As you can see, all these scenarios will only apply if there is code after the
header
but if theheader
is the last command on the page, havingexit
after or not will not matter because the result will always be the same.And about the 301, as I put in a comment: the default redirection that he does
header
is a 302 (temporary redirection). If you don't have a compelling reason for it to be a permanent (301) redirect, I'd recommend against doing it that way because it can give you headaches (the browser and ISPs cache it and there's no way to tell them to undo it if it turns out to be It is not permanent). And if you're doing checks (after submitting a form) I find it hard to believe that what you want is a permanent redirect (it could be the case, but it would be rare).