|
| Home | Accessibility | Courses | Diary | The Mouth | Forum | Resources | Site Map | About Us | Contact |
PHP header() function - uses and new restrictions
PHP's header function allows you to change the headers on your returned content so that (examples)
• The browser receives not HTML but plain text, a .jpg image or a file to save locally
example: header ('Content-type: Application/Octet-stream');
• You can change a "404" missing reponse code into a "200" - good.
example: header("HTTP/1.1 200 OK");
• You can send out cache instructions
example: header("cache-control: no-store");
• you can sent out a save file name if you're saving the file.
example: header ('Content-Disposition: attachment; filename="hello.txt"');
However, up until PHP 4.4.2 / PHP 5.1.2 it was prone to injection attacks. If you used a variable within the parameter and your user could set that variable to include a new line character, he could add in any other header at all.
As from the releases above, you should send separate header directives if you want to set multiple headers as PHP has been altered to take care of the potential security issue and is not backwards compatible over this.
There's an example in our "database download to local CSV file" demonstration with required to set both a content-type and a content-disposition. Have a look at the source code in which I have commented out the old and replaced it by the new. The old was producing a message like:
Warning: Header may not contain more than a single header, new line detected. in C:\Domains[part of URL removed]testsite\phpcsv\phptocsv1.php on line 30
Note also with the header function - you may ONLY call it before your PHP script has sent out any content to the browser. This means that it must be in a block of PHP that comes at the very top of your script (no blank lines or spaces before the initial <?php please). See also the ob_start function which, however, I dislike.
(written 2007-05-30 05:27:35)
MySQL - the order of clauses and the order of actions
What brought YOU to our web site?
A lot has happened in a year
PHP header() function - uses and new restrictions
Where did the Bank Holiday go?
Meet other local businesses in Melksham
Simple but effective use of mod_rewrite (Apache httpd)
Where and When - can you place the picture?
Arrival and Departure experiences - another hotel
This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.
Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).
• The browser receives not HTML but plain text, a .jpg image or a file to save locally
example: header ('Content-type: Application/Octet-stream');
• You can change a "404" missing reponse code into a "200" - good.
example: header("HTTP/1.1 200 OK");
• You can send out cache instructions
example: header("cache-control: no-store");
• you can sent out a save file name if you're saving the file.
example: header ('Content-Disposition: attachment; filename="hello.txt"');
However, up until PHP 4.4.2 / PHP 5.1.2 it was prone to injection attacks. If you used a variable within the parameter and your user could set that variable to include a new line character, he could add in any other header at all.
As from the releases above, you should send separate header directives if you want to set multiple headers as PHP has been altered to take care of the potential security issue and is not backwards compatible over this.
There's an example in our "database download to local CSV file" demonstration with required to set both a content-type and a content-disposition. Have a look at the source code in which I have commented out the old and replaced it by the new. The old was producing a message like:
Warning: Header may not contain more than a single header, new line detected. in C:\Domains[part of URL removed]testsite\phpcsv\phptocsv1.php on line 30
Note also with the header function - you may ONLY call it before your PHP script has sent out any content to the browser. This means that it must be in a block of PHP that comes at the very top of your script (no blank lines or spaces before the initial <?php please). See also the ob_start function which, however, I dislike.
(written 2007-05-30 05:27:35)
Associated topics are indexed under
H112 - PHP - Further Web Page and Network Handling| Back to Where did the Bank Holiday go? |
Previous and next or Horse's mouth home |
Forward to A lot has happened in a year |
Some other Articles
New Serieses for the summer on TVMySQL - the order of clauses and the order of actions
What brought YOU to our web site?
A lot has happened in a year
PHP header() function - uses and new restrictions
Where did the Bank Holiday go?
Meet other local businesses in Melksham
Simple but effective use of mod_rewrite (Apache httpd)
Where and When - can you place the picture?
Arrival and Departure experiences - another hotel
1632 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33 at 50 posts per pageThis is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.
Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).
PH: 01144 1225 708225 • FAX: 01144 1225 707126 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho