Header Redirect to a page after validating PHP


Good morning community:

I am currently working on a system, the validation redirect, that is, after the system validates all the data entered and proceeds to give access to the system, it always did it in the small projects that I had worked in this way:

header('Location: blablabla.php');

However, a person recently mentioned that it was safer to do it this way:

header('Location: blablabla.php', true, 301);

I've been looking for documentation about true, 301 to see why and how safe it is and I really do not get any information on the web that satisfies me, I appeal to the community for their recommendations.

Happy day

asked by Luis Alfredo Serrano Díaz 07.05.2018 в 14:33

3 answers


Depending on what you are doing, what you are suggesting will be better or just the same.

Why they say it's better: because the header does not have to be the last command to run on your page. It may be the case that you have more PHP or HTML code after header and it will be executed and sent to the browser. Let's see some scenarios in which not putting exit (or die ) can change the result:

  • If in the code that comes after there is another header , the browser may not redirect to the page you expect (it will be redirected to the last one);
  • If an error occurs with the header , the code will continue to run and the user can see content that should not (although a good program structure would avoid this problem);
  • If the user deactivates the Location header (in which case, what is mentioned in the previous case would occur).

As you can see, all those scenarios will only apply if there is code after the header but if the header is the last command on the page, have exit after or not, it will give equal because the result will always be the same.

And about 301, as I put you in a comment: the default redirection that makes header is a 302 (temporary redirect). If you do not have a strong reason to be a permanent redirect (301), I would recommend that you do not do so because it can give you headaches (the browser and ISPs cache him and there is no way to tell them to undo it if it turns out that It is not permanent). And if you are doing verifications (after sending a form) I can not believe that what you want is a permanent redirect (it could be the case, but it would be weird).

answered by 07.05.2018 / 15:33

First of all here is the PHP header manual , next here is the" error code "HTTP .

Step to explain, nothing on the page should be loaded before or after a redirect, that's why it is used in "exit ();", is to cut the execution and make sure that no other header redirection will be executed for example .

In turn, as you will notice from the aforementioned documentation, the error code belongs to let's say "a redirection notice" for the browser. Many browsers or add-ons for them detect multiple redirections and block them (due to suspicion of fraudulent sites or abuse of advertising).

The "True" is really unnecessary, since it is the default value, surely it uses it to "arrive" at the third argument that is the error code, it could use "null" without changing the operation.

answered by 07.05.2018 в 14:53

By default header sends the parameter replace (where the true is sent) as true in case it is not indicated.

According to your documentation :


Parameter replace optional indicates whether the header should replace   a similar previous header or add a second header of the   same kind. By default, it will be replaced, but if you pass FALSE as second   argument, you can force multiple headers of the same type.

According to the same example, you can send several headers with the same name but with different values:

header('WWW-Authenticate: Negotiate');
header('WWW-Authenticate: NTLM', false);

In the indicated example, 2 headers will be sent with both the Negotiate and NTLM . If you want only the headers to be sent as unique, indicate true .

Now, how would this be more secure or not depend on how you are managing the headers in your application, something you did not explain.

answered by 07.05.2018 в 14:54