Posted by Mladen Gogala on 12/17/78 11:55

On Mon, 14 Aug 2006 13:42:58 +0200, Rik wrote:

> The fact of the matter is: there is no real reason NOT to use ob_start().
> Hell, it can be very usefull. If you're using it to be able to send headers
> without regard to output, it shouldn't be necessary however. The script
> doesn't break, there isn't a real security issue. It's just a sign of you
> coding practices: sloppy.

Actually, not necessarily. I use ob_start() in scripts like this one:

<?php ob_start(); session_start();?>
<html>
<head>
<title>Kill Session</title>
</head>
<body bgcolor="#EFECC7">
<center>
<h2>
Warning: kill session <?=$_REQUEST['sid'] ?>, <?=$_REQUEST['serial'] ?>?
</h2>
<hr>
<?php
require_once ('config.php');
require_once ('HTML/Form.php');
$DSN = $_SESSION['DSN'];
$invoker = $_SESSION['invoker'];
$db = NewADOConnection("oci8");
if (!empty($_GET['sid'])) {
$sid = $_GET['sid'];
$serial = $_GET['serial'];
} else {
$sid = $_POST['sid'];
$serial = $_POST['serial'];
}
if (empty($sid)) die("Kill session: sid cannot be empty!");
$kill = @$_POST['kill'];
if (empty($kill)) {
$form = new HTML_Form($_SERVER['PHP_SELF'], "POST");
$form->addSubmit("kill", "Yes");
$form->addSubmit("kill", "No");
$form->addHidden('sid', $sid);
$form->addHidden('serial', $serial);
$form->display();
exit;
}
if (strtolower($kill) != 'yes') {
header("Location: $invoker");
exit;
}
$SQL = "alter system disconnect session '$sid,$serial' immediate";
try {
$db->Connect($DSN['database'], $DSN['username'], $DSN['password']);
$rs = $db->Execute($SQL);
$db->close();
header("Location: $invoker");
}
catch(Exception $e) {
die($e->getMessage());
}
?>
</center>
</body>
</html>


Here I deliberately and explicitly send HTML headers in such a way that I
can set the background color and write a line of text in HTML. I don't see
why would I program those things in PHP when HTML is made for presenting
static information in an easy way. PHP was designed to mix freely with
HTML. All I want to do in this script is to print a warning and, if
answered with "yes", kill the session, then go back to the invoker.
Without "ob_start()" in the beginning, I am unable to use header()
function on Win2k/Apache 2.0.54/PHP 5.1.4. How will ob_start() byte me
later?

--
http://www.mgogala.com

[Back to original message]