douchen7324 2014-03-29 22:24
浏览 71
已采纳

exit()和header()函数的可靠性用于系统安全性

Okay, so I have some code here: 

<?php session_start();
if (!isset($_SESSION['blah'])) {
header('Location: foo.php'); exit();

}
?>

<!DOCTYPE html>
<html>
<head>
<meta charset = 'utf-8' />
<title>Check Login</title>
</head>
<body>
// members only content here
</body>
</html>

So, I've found a foolproof way around using either headers or exit statements for redirects (by echoing a particular document depending on the value of an if-else statement), but using headers is a lot cleaner than echoing an entire webpage in a heredoc. (I also know I should be using HTTPS for additional security).

I have two questions.

  1. How widespread is browser support for the Location header? I know I can't use it on its own by reading similar questions, but I wouldn't mind knowing anyway.

  2. Also, how reliable is the use of php's exit() function for maintaining system security? Does it always work, or should I just echo a HEREDOC instead when security really matters?

  • 写回答

1条回答 默认 最新

  • dptrmt4366 2014-03-29 22:36
    关注

    Virtually any browser existing today does support Location; However, you should be careful about which status code you send along with it (3rd parameter to header). See rfc2616 sec10 for more information about which code to choose; 303 seems more correct but 302 is better supported.

    How reliable exit() is, really depends on how reliable your server is. If your PHP code is executed, exit() will always abort execution and send the result to the browser. However, a wrongly configured webserver may directly expose your PHP code instead of executing it. This comment explains how you can mitigate this problem.

     

    As for following the specs, rfc2616 sec10 says:

    Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

    You can implement this by not using exit() but using die('<a href="foo.php">You are redirected.</a>') instead.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值