Applicable version: PHP 4, PHP 5, PHP 7.
void header (string $string [, bool $replace = true [, int $http_response_code]])
Purpose: header() is used to send an HTTP header in raw form.
Remember that header() must be called before sending anything to the output such as HTML tags, blank lines in a file, or PHP. This is a very common error when reading code with include or require, file access functions or functions, and there are spaces or blank lines in the output before header() is called. The same problem is encountered when using PHP/HTML files.
<html> <?php /* An error is generated here because the <html> tag appears * before the header() call */ header('Location:http://www.example.com/'); exit; ?>
There are two special header calls. The first case is a string containing "HTTP /" (not much), which will be used to configure in addition to the HTTP status code to send. For example, if you configure Apache to use PHP scripts to handle requests for missing files (using the ErrorDocument directive) then you may want to make sure that your script generates status code. suitable. For example:
<?php header("HTTP / 1.0 404 Not Found"); ?>
The second special case is the string containing "Location:". This directive not only sends the header back to the browser but also returns the REDIRECT status code (302) unless the 201 or 3xx status code has been previously set. For example:
<?php header("Location: http://www.example.com/"); / * Send directly to the browser * / / * Make sure that the code below is not executed while navigating. * / exit; ?>
This optional parameter specifies whether the header should replace the previous one, or add a second header of the same type. By default, it takes over, but if we pass the value FALSE to this argument we can set many other headers of the same type. For example:
<?php header('WWW-Authenticate: Negotiate'); header('WWW-Authenticate: NTLM', false); ?>
This parameter generates an HTTP response code with a specified value. Note that this parameter only takes effect if the string parameter is not empty.
header() has no return value.
5.1.2 The current version can prevent the unauthorized sending of multiple headers at the same time to protect against injection attacks against the header.
Example 1: Download dialog box
If you want to remind the user that you need to save the data you are sending, such as a PDF file, then you use the Content-Disposition header to provide a recommended filename and ask the browser to display an archive dialog.
<?php // Output a PDF file header('Content-Type: application/pdf'); // Call downloaded.pdf file header('Content-Disposition: attachment; filename="downloaded.pdf"'); // The source PDF is original.pdf readfile('original.pdf'); ?>
Example 2: Buffer directives
PHP scripts usually generate dynamic content but are not buffered in the client browser or any proxy caching between the client browser and the server. Many proxies and clients can be forced to prohibit caching by the following:
<?php header("Cache-Control: no-cache, must-revalidate"); // HTTP / 1.1 header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Expiration date ?>
Note that you may notice that your pages are not padded even though you are not using the above headers. There are many options that users can allow to configure for the browser to be able to perform buffering by default. By sending the above headers we need to override the settings so that our page is buffered in the browser cache.
Alternatively, the use of the session_cache_limiter() function and the session.cache_limiter configuration setting can be used to dynamically generate standard buffer headers when we use sessions.
Notes on using header()
- The headers will only be accessible and used when a SAPI that supports them is being used.
We can use the output buffer to accomplish this at the expense of all of your output to the browser cached on the server until you send it. We can do this by calling the ob_start() and ob_end_flush() functions in the script, or by setting the output_buffering configuration directive in the php.ini or server configuration files.
The HTTP status header line will always be sent to the first client regardless of whether we call the first actualheader() function or not. The state can be overridden by calling header() with a new status line at any time unless the HTTP headers have already been sent.
- If safe mode is enabled, the script and will be added to the realm part of the WWW-Authenticate header if you set this header (used for HTTP Authentication).
Most customers today take relative URIs as Location's arguments, but there are a few guests that might require absolute URIs that include the scheme, hostname, and absolute path. Therefore, we can use $ _SERVER ['HTTP_HOST'], $ _SERVER ['PHP_SELF'] and dirname() to generate the absolute URI from like this:
<?php / * Redirects to another page in the current directory requested * / $host = $_SERVER['HTTP_HOST']; $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/ \\'); $extra = 'mypage.php'; header ("Location: http://$host$uri/$extra"); exit; ?>
Session ID is not transmitted using the Location header even when session.use_trans_sid is enabled, but it must be passed using the constant SID.
More: php header()