headers_list

header_remove

[edit] Last updated: Fri, 02 Aug 2013

header

(PHP 4, PHP 5)

header — Send a raw HTTP header

Description

void header ( string $string [, bool $replace = true [, int $http_response_code ]] )

header() is used to send a raw HTTP header. See the » HTTP/1.1 specification for more information on HTTP headers.

Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.


<html>
<?php
/* This will give an error. Note the output
 * above, which is before the header() call */
header('Location: http://www.example.com/');
exit;
?>

Parameters

string

The header string.

There are two special-case header calls. The first is a header that starts with the string "HTTP/" (case is not significant), which will be used to figure out the HTTP status code to send. For example, if you have configured Apache to use a PHP script to handle requests for missing files (using the ErrorDocument directive), you may want to make sure that your script generates the proper status code.


<?php
header("HTTP/1.0 404 Not Found");
?>

The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.


<?php
header("Location: http://www.example.com/"); /* Redirect browser */

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

replace

The optional replace parameter indicates whether the header should replace a previous similar header, or add a second header of the same type. By default it will replace, but if you pass in FALSE as the second argument you can force multiple headers of the same type. For example:


<?php
header('WWW-Authenticate: Negotiate');
header('WWW-Authenticate: NTLM', false);
?>

http_response_code

Forces the HTTP response code to the specified value. Note that this parameter only has an effect if the string is not empty.

Return Values

No value is returned.

Changelog

Version	Description
4.4.2 and 5.1.2	This function now prevents more than one header to be sent at once as a protection against header injection attacks.
4.3.0	The `http_response_code` parameter was added.
4.0.4	The `replace` parameter was added.

Examples

Example #1 Download dialog

If you want the user to be prompted to save the data you are sending, such as a generated PDF file, you can use the » Content-Disposition header to supply a recommended filename and force the browser to display the save dialog.


<?php
// We'll be outputting a PDF
header('Content-type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

// The PDF source is in original.pdf
readfile('original.pdf');
?>

Example #2 Caching directives

PHP scripts often generate dynamic content that must not be cached by the client browser or any proxy caches between the server and the client browser. Many proxies and clients can be forced to disable caching with:


<?php
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
?>

Note:
You may find that your pages aren't cached even if you don't output all of the headers above. There are a number of options that users may be able to set for their browser that change its default caching behavior. By sending the headers above, you should override any settings that may otherwise cause the output of your script to be cached.

Additionally, session_cache_limiter() and the session.cache_limiter configuration setting can be used to automatically generate the correct caching-related headers when sessions are being used.

Notes

Note:
Headers will only be accessible and output when a SAPI that supports them is in use.

Note:
You can use output buffering to get around this problem, with the overhead of all of your output to the browser being buffered in the server until you send it. You can do this by calling ob_start() and ob_end_flush() in your script, or setting the output_buffering configuration directive on in your php.ini or server configuration files.

Note:
The HTTP status header line will always be the first sent to the client, regardless of the actual header() call being the first or not. The status may be overridden by calling header() with a new status line at any time unless the HTTP headers have already been sent.

Note:
There is a bug in Microsoft Internet Explorer 4.01 that prevents this from working. There is no workaround. There is also a bug in Microsoft Internet Explorer 5.5 that interferes with this, which can be resolved by upgrading to Service Pack 2 or later.

Note: If safe mode is enabled the uid of the script is added to the realm part of the WWW-Authenticate header if you set this header (used for HTTP Authentication).

Note:
HTTP/1.1 requires an absolute URI as argument to » Location: including the scheme, hostname and absolute path, but some clients accept relative URIs. You can usually use $_SERVER['HTTP_HOST'], $_SERVER['PHP_SELF'] and dirname() to make an absolute URI from a relative one yourself:

<?php /* Redirect to a different page in the current directory that was requested */ $host = $_SERVER['HTTP_HOST']; $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); $extra = 'mypage.php'; header("Location: http://$host$uri/$extra"); exit; ?>

Note:
Session ID is not passed with Location header even if session.use_trans_sid is enabled. It must by passed manually using SID constant.


If you haven't used, HTTP Response 204 can be very convenient. 204 tells the server to immediately termiante this request. This is helpful if you want a javascript (or similar) client-side function to execute a server-side function without refreshing or changing the current webpage. Great for updating database, setting global variables, etc.




     header("status: 204");  (or the other call)


     header("HTTP/1.0 204 No Response");

down

shutout2730 at yahoo dot com ¶

4 years ago


It is important to note that headers are actually sent when the first byte is output to the browser. If you are replacing headers in your scripts, this means that the placement of echo/print statements and output buffers may actually impact which headers are sent. In the case of redirects, if you forget to terminate your script after sending the header, adding a buffer or sending a character may change which page your users are sent to.



This redirects to 2.html since the second header replaces the first.



<?php

header("location: 1.html"); 

header("location: 2.html"); //replaces 1.html

?>



This redirects to 1.html since the header is sent as soon as the echo happens. You also won't see any "headers already sent" errors because the browser follows the redirect before it can display the error.



<?php

header("location: 1.html");

echo "send data"; 

header("location: 2.html"); //1.html already sent 

?>



Wrapping the previous example in an output buffer actually changes the behavior of the script! This is because headers aren't sent until the output buffer is flushed.



<?php

ob_start();

header("location: 1.html"); 

echo "send data"; 

header("location: 2.html"); //replaces 1.html

ob_end_flush(); //now the headers are sent

?>

down

greg dot jones at senokian dot com ¶

6 years ago


In case anyone else is having trouble:

using a web-server behind the pound load balancer, we found that trying to redirect to https://example.com for requests to http://example.com were getting into an infinite loop because pound, by default, 'fixes' changes of protocol for you. You want to set RewriteLocation to 0 to turn this behaviour off.

down

blinki bill ¶

5 years ago


if you are planing to make a download script like this one:



<?php

$mm_type="application/octet-stream";



header("Cache-Control: public, must-revalidate");

header("Pragma: hack");

header("Content-Type: " . $mm_type);

header("Content-Length: " .(string)(filesize($fullpath)) );

header('Content-Disposition: attachment; filename="'.$filename.'"');

header("Content-Transfer-Encoding: binary\n");

                  

readfile($fullpath);

?>



you will notice that the zip files becomes invalid after download, thats because all files downloaded starts with empty line which is a problem for the zip files

This can be fixed with adding ob_start() at the beginning of the script and od_end_clean() just before the readfile()

down

nobileelpirata at hotmail dot com ¶

6 years ago


This is the Headers to force a browser to use fresh content (no caching) in HTTP/1.0 and HTTP/1.1:




<?PHP


header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );


header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );


header( 'Cache-Control: no-store, no-cache, must-revalidate' );


header( 'Cache-Control: post-check=0, pre-check=0', false );


header( 'Pragma: no-cache' );




?>

down

mandor at mandor dot net ¶

7 years ago


When using PHP to output an image, it won't be cached by the client so if you don't want them to download the image each time they reload the page, you will need to emulate part of the HTTP protocol.



Here's how:



<?php



    // Test image.

    $fn = '/test/foo.png';



    // Getting headers sent by the client.

    $headers = apache_request_headers(); 



    // Checking if the client is validating his cache and if it is current.

    if (isset($headers['If-Modified-Since']) && (strtotime($headers['If-Modified-Since']) == filemtime($fn))) {

        // Client's cache IS current, so we just respond '304 Not Modified'.

        header('Last-Modified: '.gmdate('D, d M Y H:i:s', filemtime($fn)).' GMT', true, 304);

    } else {

        // Image not cached or cache outdated, we respond '200 OK' and output the image.

        header('Last-Modified: '.gmdate('D, d M Y H:i:s', filemtime($fn)).' GMT', true, 200);

        header('Content-Length: '.filesize($fn));

        header('Content-Type: image/png');

        print file_get_contents($fn);

    }



?>



That way foo.png will be properly cached by the client and you'll save bandwith. :)

down

ondrew at quick dot cz ¶

8 years ago


How to force browser to use already downloaded and cached file.



If you have images in DB, they will reload each time user views them. To prevent this, web server must identify each file with ID.



When sending a file, web server attaches ID of the file in header called ETag.

header("ETag: \"uniqueID\");



When requesting file, browser checks if the file was already downloaded. If cached file is found, server sends the ID with the file request to server.



Server checks if the IDs match and if they do, sends back 

header("HTTP/1.1 304 Not Modified");

else

Server sends the file normally.



<?php



  $file = getFileFromDB();



  // generate unique ID

  $hash = md5($file['contents']);

    

  $headers = getallheaders();

    

  // if Browser sent ID, we check if they match

  if (ereg($hash, $headers['If-None-Match']))

  {

    header('HTTP/1.1 304 Not Modified');

  }

  else

  {

    header("ETag: \"{$hash}\"");

    header("Accept-Ranges: bytes");

    header("Content-Length: ".strlen($file['content']));

    header("Content-Type: {$mime}");

    header("Content-Disposition: inline; filename=\"{$file['filename']}\";");



    echo $file['content'];

  }

  exit();

?>

down

ben at indietorrent dot org ¶

1 year ago


Be aware that sending binary files to the user-agent (browser) over an encrypted connection (SSL/TLS) will fail in IE (Internet Explorer) versions 5, 6, 7, and 8 if any of the following headers is included:



Cache-control:no-store

Cache-control:no-cache



See: http://support.microsoft.com/kb/323308



Workaround: do not send those headers.



Also, be aware that IE versions 5, 6, 7, and 8 double-compress already-compressed files and do not reverse the process correctly, so ZIP files and similar are corrupted on download.



Workaround: disable compression (beyond text/html) for these particular versions of IE, e.g., using Apache's "BrowserMatch" directive. The following example disables compression in all versions of IE:



BrowserMatch ".*MSIE.*" gzip-only-text/html

down

stevenwebster at gmail dot com ¶

5 years ago


These functions turn on SSL, and turn off SSL. The Redirect function is also good to use for all redirects... tries PHP, then Java, then HTML for redirects.



Here are the improved functions... had an error in the  one I posted yesterday if you guys could please delete that one.



<?php

//This works in 5.2.3

//First function turns SSL on if it is off.

//Second function detects if SSL is on, if it is, turns it off.



//==== Redirect... Try PHP header redirect, then Java redirect, then try http redirect.:

function redirect($url){

    if (!headers_sent()){    //If headers not sent yet... then do php redirect

        header('Location: '.$url); exit;

    }else{                    //If headers are sent... do java redirect... if java disabled, do html redirect.

        echo '<script type="text/javascript">';

        echo 'window.location.href="'.$url.'";';

        echo '</script>';

        echo '<noscript>';

        echo '<meta http-equiv="refresh" content="0;url='.$url.'" />';

        echo '</noscript>'; exit;

    }

}//==== End -- Redirect



//==== Turn on HTTPS - Detect if HTTPS, if not on, then turn on HTTPS:

function SSLon(){

    if($_SERVER['HTTPS'] != 'on'){

        $url = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

        redirect($url);

    }

}//==== End -- Turn On HTTPS



//==== Turn Off HTTPS -- Detect if HTTPS, if so, then turn off HTTPS:

function SSLoff(){

    if($_SERVER['HTTPS'] == 'on'){

        $url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

        redirect($url);

    }

}//==== End -- Turn Off HTTPS

?>

down

bholbrook at servillian dot com ¶

5 years ago


The first element of the header (i.e. "Location") is case sensitive depending on the browser. In IE7, <?php header("location:http://www.example.com"); ?> does not work as expected whereas <?php header ("Location:http://www.example.com"); ?> does work as expected.




For a full list of headers and their values go here: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

down

mzheng[no-spam-thx] at ariba dot com ¶

4 years ago


For large files (100+ MBs), I found that it is essential to flush the file content ASAP, otherwise the download dialog doesn't show until a long time or never. 



<?php

header("Content-Disposition: attachment; filename=" . urlencode($file));    

header("Content-Type: application/force-download");

header("Content-Type: application/octet-stream");

header("Content-Type: application/download");

header("Content-Description: File Transfer");             

header("Content-Length: " . filesize($file));

flush(); // this doesn't really matter.



$fp = fopen($file, "r"); 

while (!feof($fp))

{

    echo fread($fp, 65536); 

    flush(); // this is essential for large downloads

}  

fclose($fp); 

?>

down

mjt at jpeto dot net ¶

4 years ago


I strongly recommend, that you use




header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");




instead of 




header("HTTP/1.1 404 Not Found");




I had big troubles with an Apache/2.0.59 (Unix) answering in HTTP/1.0 while I (accidentially) added a "HTTP/1.1 200 Ok" - Header.




Most of the pages were displayed correct, but on some of them apache added weird content to it:




A 4-digits HexCode on top of the page (before any output of my php script), seems to be some kind of checksum, because it changes from page to page and browser to browser. (same code for same page and browser)




"0" at the bottom of the page (after the complete output of my php script) 




It took me quite a while to find out about the wrong protocol in the HTTP-header.

down

Justin S ¶

3 years ago


If you want to ENABLE cache:

<?php

// seconds, minutes, hours, days

$expires = 60*60*24*14;

header("Pragma: public");

header("Cache-Control: maxage=".$expires);

header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$expires) . ' GMT');

?>

down

audvare at gmail dot com ¶

2 years ago


Hide away your environment information (if you cannot do this at server level):



<?php

header('Server: ');

header('X-Powered-By: ');

?>



Why? Attackers are ALWAYS looking for servers with old versions running to exploit unpatched vulnerabilities. Now let's see what a typical server says:



Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_fcgid/2.3.5 Phusion_Passenger/2.2.15 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635



I have so much information from this it's incredible.

Apache 2.2.17 on a Unix-style distro (instead of Windows)

mod_ssl 2.2.17

OpenSSL 0.9.8, and guess what rhel5 means? Red Hat



Overall, WAY too much information. Why not just 'Server: Apache'?



So what do I do if I'm an attacker? I have already scanned this information to find it like usual and now I just have to find exploits on sites like http://seclists.org/ or if I have already have something usable I can use it. Not only that, but often:

X-Powered-By: PHP/5.2.17

might show up. Now all I have to do is search for vulnerabilities in that PHP EXACT version which was given to me. Execute code remotely, get the information I need, then break in and do whatever I like with the target once an exploit succeeds.



(Note the above is completely theoretical.)



X-Powered-By is sometimes sent by mod_php. It seems to always be over-ridable. It is not sent by PHP-FPM.



The Server header is of course, sent by almost every server. What is strange is that Apache and many distros decide to display everything about their environment by default. Don't get why. There are no issues if Server or X-Powered-By is not present in any browser. Generally speaking, no other end should need to know what the server is running, ever.



With nginx, the Server header can be overriden by PHP probably because PHP is handled by a separate process and is AFTER nginx has prepared its header (which is usually simply nginx/<version>). You can turn off version number displaying with 'server_tokens off' in your nginx configuration. This will result in 'Server: nginx' as your header.



With Apache, it doesn't seem to be overridable with mod_php. Perhaps it's overridable with FastCGI but I have not tested.



Also, I have not tested lighttpd.

down

Dylan at WeDefy dot com ¶

5 years ago


A quick way to make redirects permanent or temporary is to make use of the $http_response_code parameter in header().



<?php

// 301 Moved Permanently

header("Location: /foo.php",TRUE,301);



// 302 Found

header("Location: /foo.php",TRUE,302);

header("Location: /foo.php");



// 303 See Other

header("Location: /foo.php",TRUE,303);



// 307 Temporary Redirect

header("Location: /foo.php",TRUE,307);

?>



The HTTP status code changes the way browsers and robots handle redirects, so if you are using header(Location:) it's a good idea to set the status code at the same time.  Browsers typically re-request a 307 page every time, cache a 302 page for the session, and cache a 301 page for longer, or even indefinitely.  Search engines typically transfer "page rank" to the new location for 301 redirects, but not for 302, 303 or 307. If the status code is not specified, header('Location:') defaults to 302.

down

Anonymous ¶

4 years ago


I just want to add, becuase I see here lots of wrong formated headers.



1. All used headers have first letters uppercase, so you MUST follow this. For example:



Location, not location

Content-Type, not content-type or CONTENT-TYPE



2. Then there MUST be colon and space, like



good: header("Content-Type: text/plain");



wrong: header("Content-Type:text/plain");



3. Location header MUST be absolute uri with scheme, port and so on.



good: header("Location: http://www.example.com/something.php?a=1");



4. It cann't be relative:



wrong:  Location: /something.php?a=1

wrong:  Location: ?a=1



It will make proxy server and http clients happier.

down

AllportPC ¶

4 years ago


If using header in Safari, make sure you use complete pahge names.  For example, we were using 



<?php

header("Location: ?mng=" . $_GET['mng']);

?>



but it didnt work in Safari so we are using this



<?php

header("Location: index.php?mng=" . $_GET['mng']);

?>

down

Yousha dot A at Mail dot com ¶

1 year ago


Safe redirect:



<?php



function Redirect($Str_Location, $Bln_Replace = 1, $Int_HRC = NULL)

{

        if(!headers_sent())

        {

            header('location: ' . urldecode($Str_Location), $Bln_Replace, $Int_HRC);

            exit;

        }



    exit('<meta http-equiv="refresh" content="0; url=' . urldecode($Str_Location) . '"/>'); # | exit('<script></script>');

    return;

}



?>

down

Bharath Gandhi ¶

2 years ago


I wanted to redirect my page, after displaying a status result from feedback form submit click, to the home page of the website. I tried displaying the status message for 'n' seconds, before redirecting to the homepage, using the 'sleep()' function but I was stuck with the header ("Location=$url") command, as it always returned the message "headers already sent", after displaying the status message, and the page was stuck there.




using 'url' instead of 'location' along with the 'refresh' parameter, instead of 'sleep()' function, worked for me in this case.




<?php


  header( "refresh:5;url=wherever.php" );


  echo 'You\'ll be redirected in about 5 secs. If not, click <a href="wherever.php">here</a>.';


?>

down

cedric at gn dot apc dot org ¶

2 years ago


Setting a Location header "returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set".  If you are sending a response to a POST request, you might want to look at RFC 2616 sections 10.3.3 and 10.3.4.   It is suggested that if you want the browser to immediately GET the resource in the Location header in this circumstance, you should use a 303 status code not the 302 (with the same link as hypertext in the body for very old browsers).  This may have (rare) consequences as mentioned in bug 42969.

down

scott at lucentminds dot com ¶

3 years ago


If you want to remove a header and keep it from being sent as part of the header response, just provide nothing as the header value after the header name. For example...



PHP, by default, always returns the following header:



"Content-Type: text/html"



Which your entire header response will look like



HTTP/1.1 200 OK

Server: Apache/2.2.11 (Unix)

X-Powered-By: PHP/5.2.8

Date: Fri, 16 Oct 2009 23:05:07 GMT

Content-Type: text/html; charset=UTF-8

Connection: close



If you call the header name with no value like so...



<?php



    header( 'Content-Type:' );



?>



Your headers now look like this:



HTTP/1.1 200 OK

Server: Apache/2.2.11 (Unix)

X-Powered-By: PHP/5.2.8

Date: Fri, 16 Oct 2009 23:05:07 GMT

Connection: close

down

info at vanylla dot it ¶

4 years ago


WARNING:




In order to make Internet Explorer 6 (probably also 7)  not to cache pages you should use only these headers:




<?php


header("Cache-Control: no-cache");


header("Expires: -1");


?>





as suggested by Microsoft itself [source: http://support.microsoft.com/kb/234067]




if you add all the headers suggested in "Example #2 Caching directives" above:




<?php


header("Cache-Control: no-cache, must-revalidate");


header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");


?>





IE browser goes on CACHING THE PAGE!!!

down

wong ¶

1 year ago


I had to battle with the "header already sent" problem recently. I read the manual and understand "Do not send spaces or empty lines before header() is called" and made sure it wasn't happening in my code. But still have "header already sent" problem.

It turned out to be the UTF BOM (byte order mark) problem pete mentioned in 2004. It's probably worth to mention it again, maybe put this in the official manual. Those BOM bytes are not visible to normal text editor and caused me a lot of pain trying to figure out what went wrong.

In short, if you are sure your code didn't send any strings before header() is called but still have "header already sent" problem, it is probably because your source code is saved using UTF BOM. To verify that, open the source code in a binary editor, you should see the first 3 bytes are EF BB BF. They should be deleted for the source code to work.

The bug has been logged under https://bugs.php.net/bug.php?id=22108.

down

krzysztof at wildfire dot pl ¶

2 years ago


I found a lot of problems with downloading file in IE.




You might use my code to download files:




<?php


if(ini_get('zlib.output_compression')) 


  ini_set('zlib.output_compression', 'Off'); 


if (file_exists($file)) {


  if(strstr($_SERVER["HTTP_USER_AGENT"],"MSIE")==false) {


    header("Content-Type: application/force-download");


    header('Content-Description: File Transfer');


  }


  readfile($file);


}


exit;


?>

down

Cody G. ¶

3 years ago


After lots of research and testing, I'd like to share my findings about my problems with Internet Explorer and file downloads.



  Take a look at this code, which replicates the normal download of a Javascript:



<?php

 if(strstr($_SERVER["HTTP_USER_AGENT"],"MSIE")==false) {

  header("Content-type: text/javascript");

  header("Content-Disposition: inline; filename=\"download.js\"");

  header("Content-Length: ".filesize("my-file.js"));

 } else {

  header("Content-type: application/force-download");

  header("Content-Disposition: attachment; filename=\"download.js\"");

  header("Content-Length: ".filesize("my-file.js"));

 }

 header("Expires: Fri, 01 Jan 2010 05:00:00 GMT");

 if(strstr($_SERVER["HTTP_USER_AGENT"],"MSIE")==false) {

  header("Cache-Control: no-cache");

  header("Pragma: no-cache");

 }

 include("my-file.js");

?>



Now let me explain:



  I start out by checking for IE, then if not IE, I set Content-type (case-sensitive) to JS and set Content-Disposition (every header is case-sensitive from now on) to inline, because most browsers outside of IE like to display JS inline. (User may change settings). The Content-Length header is required by some browsers to activate download box. Then, if it is IE, the "application/force-download" Content-type is sometimes required to show the download box. Use this if you don't want your PDF to display in the browser (in IE). I use it here to make sure the box opens. Anyway, I set the Content-Disposition to attachment because I already know that the box will appear. Then I have the Content-Length again.



  Now, here's my big point. I have the Cache-Control and Pragma headers sent only if not IE. THESE HEADERS WILL PREVENT DOWNLOAD ON IE!!! Only use the Expires header, after all, it will require the file to be downloaded again the next time. This is not a bug! IE stores downloads in the Temporary Internet Files folder until the download is complete. I know this because once I downloaded a huge file to My Documents, but the Download Dialog box put it in the Temp folder and moved it at the end. Just think about it. If IE requires the file to be downloaded to the Temp folder, setting the Cache-Control and Pragma headers will cause an error!



I hope this saves someone some time!

~Cody G.

down

richardphilip at linkcsik dot net ¶

2 years ago


Hi there,



I see lots of you have difficulties with utf-8 and BOM.

Some of the respected HTML editors have problem with it... 

If your files are in utf-8 for wathever reason and you can switch of insert BOM, most of time if the file reloaded into the editor it changes it's character coding even with the newest tools (2011).

The first thing is ("headers already sent") almost every time, you can notice this. (Even when you didn't give any visible output, before the headers.) But if you change character encoding, your project could be a mess espedcially if you prints out characters outside the english alphabet like ű ő ú and such... 



I had a hard time figure out, how can keep the utf-8 after reopen the file and edit it if I don't include BOM in it.



The solution is soo simple. 

Every module which is included or not I allways write a special character in comment. something like: //ű.

or in the html section: print "<!--ű-->"; 



in this way you absolutely not have to include bom and yet, your files will be encoded in utf-8.

(If your editor gives you an opportunity to change the encoding, then you are good to go.)

down

phpnet at holodyn dot com ¶

2 years ago


I've written this function so many times, but every time I find a new problem - this one is working in all browsers.




<?php


function downloadFile( $fullPath ){




  // Must be fresh start


  if( headers_sent() )


    die('Headers Sent');




  // Required for some browsers


  if(ini_get('zlib.output_compression'))


    ini_set('zlib.output_compression', 'Off');




  // File Exists?


  if( file_exists($fullPath) ){


    


    // Parse Info / Get Extension


    $fsize = filesize($fullPath);


    $path_parts = pathinfo($fullPath);


    $ext = strtolower($path_parts["extension"]);


    


    // Determine Content Type


    switch ($ext) {


      case "pdf": $ctype="application/pdf"; break;


      case "exe": $ctype="application/octet-stream"; break;


      case "zip": $ctype="application/zip"; break;


      case "doc": $ctype="application/msword"; break;


      case "xls": $ctype="application/vnd.ms-excel"; break;


      case "ppt": $ctype="application/vnd.ms-powerpoint"; break;


      case "gif": $ctype="image/gif"; break;


      case "png": $ctype="image/png"; break;


      case "jpeg":


      case "jpg": $ctype="image/jpg"; break;


      default: $ctype="application/force-download";


    }




    header("Pragma: public"); // required


    header("Expires: 0");


    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");


    header("Cache-Control: private",false); // required for certain browsers


    header("Content-Type: $ctype");


    header("Content-Disposition: attachment; filename=\"".basename($fullPath)."\";" );


    header("Content-Transfer-Encoding: binary");


    header("Content-Length: ".$fsize);


    ob_clean();


    flush();


    readfile( $fullPath );




  } else 


    die('File Not Found');




}


?>

down

anthon at piwik dot org ¶

2 years ago


I see a couple of notes where multiple Content-Type headers are sent.  Don't do that.



RFC2616 only presents two scenarios for multiple Content-Type headers in a response:



   1. a "300 Multiple Choice" status for agent-drive negotiation, or

   2. a response containing multi-part content.



Note also that multiple Content-Type headers reportedly breaks FastCGI.

down

giacomo at dove_vuoi_tu.com ¶

2 years ago


For avoiding double prompt when choose open (not save)

    header('Content-Type: application/download');

    header('Content-Disposition: filename=dati.txt');

down

Marcel G ¶

3 years ago


Several times this one is asked on the net but an answer could not be found in the docs on php.net ...




If you want to redirect an user and tell him he will be redirected, e. g. "You will be redirected in about 5 secs. If not, click here." you cannot use header( 'Location: ...' ) as you can't sent any output before the headers are sent.




So, either you have to use the HTML meta refresh thingy or you use the following:




<?php


  header( "refresh:5;url=wherever.php" );


  echo 'You\'ll be redirected in about 5 secs. If not, click <a href="wherever.php">here</a>.';


?>





Hth someone

down

SDPhantom ¶

3 years ago


Also note, if you add a header line in addition to supply a status code in the same call, it will do both.



Example:

<?php header('WWW-Authenticate: Basic realm="My Realm"',true,401); ?>



Will output both:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm="My Realm"

down

Refugnic ¶

3 years ago


My files are in a compressed state (bz2). When the user clicks the link, I want them to get the uncompressed version of the file.



After decompressing the file, I ran into the problem, that the download dialog would always pop up, even when I told the dialog to 'Always perform this operation with this file type'.



As I found out, the problem was in the header directive 'Content-Disposition', namely the 'attachment' directive.



If you want your browser to simulate a plain link to a file, either change 'attachment' to 'inline' or omit it alltogether and you'll be fine.



This took me a while to figure out and I hope it will help someone else out there, who runs into the same problem.

down

Orca8767 ¶

5 years ago


Note that if you don't want to go through the process of making sure that there is no output before you send a header, you can use



<?php

ob_start();

?>



at the beginning of your page.

This starts the output buffer, which allows you to send headers whenever you feel like it. Make sure that you put it at the BEGINNING, after the first php tag.



It allows you to do something like



<?php

ob_start();

echo 'foo';

header("Status: 404 Not Found");

echo 'bar';

?>

down

j dot gizmo at aon dot at ¶

8 years ago


some browsers always reload stylesheets, javascripts and other seldomnly changing files, which causes nasty delays when loading a website (Safari on MacOS is an example)



to tell the browser to keep files in cache for at least a day, you can use

<?php

header('Expires: ' . gmdate('D, d M Y H:i:s', time()+24*60*60) . ' GMT');

?>

This has the nice sideeffect of telling other browser that never refresh pages to refresh them at least once a day.



PS: i figure this is trivial, but it cost me some headache

down

dadarden_nospamola at iti2 dot nospamola dot net ¶

11 years ago


If you use session_start() at the top of a php script that also has header() calls later in the script for a file download then you must add some form of cache control for IE to work properly.  I use header('Cache-Control: public'); immediately after the code at the top of the script with the session_start() call that verifies that I have a properly logged in user.  That allows the header() and fpassthru() calls to download a file later in the script using IE 5.5 SP2.

down

-1

mahdi at jowkar dot ir ¶

1 year ago


You can use header(); function to show programs Errors


for example




// Errors.php


<?php


if(isset($_GET['iderror']))


{


echo '<div align="center">';


switch($_GET['iderror'])


{


case 1:


echo "we can not found your username or password";


breaak;


case 2:


echo "please login";


break;


}


echo '</div>';


}


else


{


echo "please send your Errors code";


}


?>





//panel.php


<?php


// ...


if($_SESSION['access'] == "")


{


header("Location: Errors.php?id=1");


}


if($_SESSION['username'] == "")


{


header("Location: Errors.php?id=2");


}


?>

down

-1

filip dot rydlo at email dot cz ¶

1 year ago


// Just a quick note to this header() function *today*, as of 2011-10-13:

// Latest Firefox (7.01) suddenly  will *NOT* let users download file  WHEN there is some extra character after the Content-type  header !! So be CAREFUL!



// for example:  ";" and space... like this:



header("Content-type: application/octet-stream; ");



// THIS IS NO LONGER OPERATIONAL in Firefox 7.01!  Be warned! - some pages STOPPED working - in terms of letting download attachments / files !

(in Firefox 6.02 it works, in IE8 and others  it also still works... but it may change in the future!)

down

-1

jphansen at uga dot edu ¶

2 years ago


When using header(Location:), if you have the same site that you use which has different URIs, for example:




www.example.com/a/mysite


www.example.net




you must remain consistent in how you reference it, or $_SESSION[] contents will be lost. 




An example would be a user enters www.example.com/a/mysite, then based on some decision they make, you want to header(Location:) them to another page. If you header(Location: http://www.example.net/page.php), $_SESSION[] will be lost. 




I solved this by forwarding them to a particular URI before I start saving $_SESSION[] variables:




<?php


if (strpos($_SERVER['REQUEST_URI'], "/a/mysite/") !== false)


    header('Location: http://www.example.net');


?>

down

-1

vedran-b at email dot htnet dot hr ¶

2 years ago


As known redirecting to a page inside your domain with header() does not pass along $_session variables.

Strange thing is that it is client dependant.

sometimes as stated session_write_close() before using header helps.



I've noticed that if the redirect doesn't point to the full URL of the page e.g. 

"Location: example.com/page2.php" 

but instead to 

"Location: /page2.php"



The session does get perserved with no need to append data manually to the url.

down

-1

rodelopiana at gmail dot com ¶

1 year ago


I resolve the problem ' header not working ' by editing the ob_start at the php.ini file

down

-1

polo at polosson dot com ¶

2 years ago


It seems that Internet Explorer can not execute an @ before the function 'header ("location: $ page")' (to ignore it if the contained variable is not defined). At launch, IE loads the page indefinitely, without displaying anything (not even an error message) as if there were an infinite loop of redirection.

However, Firefox supports this escape character and passes through the 'header()' without running it, and everything goes well. I am not able to explain why, but I wanted to say that in order to help those like me who have lost a lot of time with this problem!



Example:

My original code was :



<?php

      @header("Location: $redirection") ;

?>



and to make it work with Internet Explorer, I had to replace it with :



<?php

     if (isset($redirection)) {

          header("Location: $redirection") ;

     }

?>



Sincerely,

. Polosson

down

-1

xxxbunker dot com ¶

3 years ago


there are times when one would want to output a html status 500 'mid response'.



i wasn't able to get a clear answer weather sending a (be it incomplete) body with a 500 is proper, but what i found works nicely (assuming you are using output buffering, and haven't flushed the buffer before requiring a 500):



a) ..... some of the document body is buffered .....

b) ..... something happens that merits a html status 500 .....

c) ob_end_clean() - this will basically purge whatever document body is in the buffer 'to this point'

d) use header('.... to display the html status 500.

e) die();



what you are left with, is a html status 500, with no body. 



nice and clean, just the way we like it :)

down

-1

sk89q ¶

4 years ago


You can use HTTP's etags and last modified dates to ensure that you're not sending the browser data it already has cached.




<?php


$last_modified_time = filemtime($file);


$etag = md5_file($file);




header("Last-Modified: ".gmdate("D, d M Y H:i:s", $last_modified_time)." GMT");


header("Etag: $etag");




if (@strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $last_modified_time ||


    trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag) {


    header("HTTP/1.1 304 Not Modified");


    exit;


}


?>

down

-1

kamermans at teratechnologies dot net ¶

6 years ago


If you are trying to send image data to a mobile phone from PHP, some models (Motorola RAZOR V3 on Cingular) for whatever reason require the "Last-Modified" header or they will not show the image.



<?php

ob_start();

// assuming you have image data in $imagedata

$length = strlen($imagedata);

header('Last-Modified: '.date('r'));

header('Accept-Ranges: bytes');

header('Content-Length: '.$length);

header('Content-Type: image/jpeg');

print($imagedata);

ob_end_flush();

?>



date('r') produces the date with the numeric timezone offset (-0400) versus Apache, which uses timezone names (GMT), but according to the HTTP/1.1 RFC, dates should be formatted  by RFC 1123 (RFC 822) which states: "There is a strong trend towards the use of numeric timezone indicators, and implementations SHOULD use numeric timezones instead of timezone names.  However, all implementations MUST accept either notation." (http://www.ietf.org/rfc/rfc1123.txt)

down

chris at willowsconsulting dot ie ¶

5 months ago


It seems that this line of code is triggering a long TTFB on some Apache servers (either on Linux or MacOS) having a GZIP compression ON:

<?php

header("Content-Length: ".strlen($content));

?>



If you are not serving binary files to download (like CSS, JS, or whatever), you can remove the line of code.



This is what I have experienced:

TTFB without the line: 144ms

TTFB with the line: 5147ms (!!)



This weird behavior has been documented on some (old) version of IIS as well.

Conflict between mod_deflate and mod_fastcgi seems still unresolved... 



It is your duty has a PHP programmer to cope with architecture/server problem~.

down

Aldo ¶

1 year ago


Be carefull about the header("Content-length: $size");

If the size is lower than the actual size, your file will be corrupted when is downloaded.

down

lava ¶

1 year ago


I often see the Content-Transfer-Encoding header in user-provided examples. It should be noted that this is a MIME header and is not actually used in HTTP, which uses Transfer-Encoding and Content-Encoding instead (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11 and http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.41). For example, the HTTP equivalent to the MIME header 'Content-Transfer-Encoding: binary' is 'Content-Encoding: identity'.


Keep that in mind when sending headers.

down

ben at netsup-spa@m-portchat dot com ¶

2 years ago


Doh!  I kept getting the "headers already sent" error message on a header("Location: .....") call.  I checked, re-checked, and re-checked and the scripts nor the files it included had any output - no trailing whitespace, nothing.  I was stumped for quite some time and then realized I had used:



<?php

header("Something Else");

flush(); // !!!!

?>



In one of the includes.  Obviously, when you flush() for the first time it must complete sending the headers, so you can't make any more header() calls!

down

xxxbunker dot com ¶

3 years ago


we use 204's extensively.



after doing some spring cleanup, we found out (as many others might have), that even tho you header('204..., the user agent will wait until the content-length header is received. which, at least via apache 2 (others probably) is not sent until the script has completed executing completely.



so, after doing some testing:



HTTP/1.0 204 No Content

Date: Sat, 27 Feb 2010 08:23:49 GMT

Server: Apache

Content-Length: 0

Vary: User-Agent,Accept-Encoding

Connection: close

Content-Type: text/html



is what is sent during a standard 204 response... so to reproduce this, the function we are using is:



header('HTTP/1.0 204 No Content');

header('Content-Length: 0',true);

header('Content-Type: text/html',true);

flush();



when the above is called prior to doing any processing, the user agent will be left alone to do other things, and you may continue doing (at times 'time' heavy) processing on the server end.



enjoy!

down

alvinwong_1234 at yahoo dot com dot hk ¶

3 years ago


Normally, using


<?php


    // Request URI is /boo/blah.php


    header("Location: /foo/bar.php");


?>


generates a header just like


<?php


    // Request URI is /boo/blah.php


    header("Location: /foo/bar.php");


?>





But when I once used


<?php


    // Request URI is /boo/blah.php


    header("Location: ../foo/bar.php");


?>


today, it generates an absolute path like


<?php


    // Request URI is /boo/blah.php


    header("Location: http://www.example.com/foo/bar.php");


?>





Funny. I guess php done the work.

down

this dot person at joaocunha dot eti dot br ¶

3 years ago


AVOID ZERO BYTE ORDER MARK!



Header MUST be sent before EVERYTHING in the page. Even a single space will break your script. In my case, there was BOM setted in the encoding, so I opened the file with notepad++ and set the encoding to UTF-8 (no BOM) and voila, everything is working great now.

down

marlinf at datashaman dot com ¶

3 years ago


Many of the issues with headers can be solved quite quickly by using the following code before you set your headers:




<?php


headers_sent(&$file, &$line);


var_dump($file, $line);


?>





This will show you exactly where the first line of output is coming from, which will prevent your headers from being set.

down

dmitry dot babinov at gmail dot com ¶

3 years ago


Microsoft KB http://support.microsoft.com/kb/234067 strongly recommends to set up "expires" header for best cache control.

Everything else is workaround.

I had download error with first attempt always till i had cache-control header within script using Internet Explorer.

Such code works fine with IE 7-8:

<?php

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n");

header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");

header("Content-type: application/zip;\n"); //or yours?

header("Content-Transfer-Encoding: binary");

$len = filesize($filename);

header("Content-Length: $len;\n");

$outname="downfile.zip";

header("Content-Disposition: attachment; filename=\"$outname\";\n\n");



readfile($filename);

?>

down

dev at omikrosys dot com ¶

3 years ago


Just to inform you all, do not get confused between Content-Transfer-Encoding and Content-Encoding



Content-Transfer-Encoding specifies the encoding used to transfer the data within the HTTP protocol, like raw binary or base64. (binary is more compact than base64. base64 having 33% overhead).

Eg Use:- header('Content-Transfer-Encoding: binary');



Content-Encoding is used to apply things like gzip compression to the content/data.

Eg Use:- header('Content-Encoding: gzip');

down

Jamesb ¶

4 years ago


Here is a php script I wrote to stream a file and crypt it with a xor operation on the bytes and with a key :




The encryption works very good but the speed is decrease by 2, it is now 520KiB/s. The user is now asked for a md5 password (instead of keeping it in the code directly). There is some part in French because it's my native language so modify it as you want.




<?php


// Stream files and encrypt the data on-the-fly




// Settings


// -- File to stream


$file = "FILE_out";


// -- Reading buffer


$bufferlength = 3840;


// -- Key in hex


//$keychar = "9cdfb439c7876e703e307864c9167a15";




// Function: Convertion hex key in a string into binary


function hex2bin($h) {


    if (!is_string($h)) return null;


    $r = array();


    for ($a=0; ($a*2)<strlen($h); $a++) {


        $ta = hexdec($h[2*$a]);


        $tb = hexdec($h[(2*$a+1)]);


        $r[$a] = (int) (($ta << 4) + $tb);


    }


    return $r;


}




// Function to send the auth headers


function askPassword($text="Enter the password") {


    header('WWW-Authenticate: Basic realm="'. utf8_decode($text) .'"');


    header('HTTP/1.0 401 Unauthorized');


    return 1;


}




// Key is asked at the first start


if (!isset($_SERVER['PHP_AUTH_PW'])) {


    askPassword();


    echo "Une clé est nécessaire !<br />";


    exit;


}


// Get the key in hex


$keychar = $_SERVER['PHP_AUTH_PW'];




// Convert key and set the size of the key


$key = hex2bin($keychar);


$keylength = count($key);


// Teste si la clé est valide en hex


if ($key == "" || $keylength <= 4) {


    askPassword("Clé incorrecte !");


    //echo "Clé incorrecte !<br />";


    exit();


}


// Teste si la clé est de longueur d'une puissance de 2


if ( ($keylength%2) != 0) {


    askPassword("Clé de longueur incorrecte (multiple de 2 uniquement)");


    //echo "Clé de longueur incorrecte (puissance de 2 uniquement)<br />";


    exit();


}




// Headers


header("Content-Type: application/octet-stream; ");


header("Content-Transfer-Encoding: binary");


header("Content-Length: " . filesize($file) ."; ");


header("filename=\"".$file."\"; ");


flush(); // this doesn't really matter.




// Opening the file in read-only


$fp = fopen($file, "r");


while (!feof($fp))


{


    // Read a buffer size of the file


    $buffer = fread($fp, $bufferlength);


    $j=0;


    for ($i=0; $i < $bufferlength; $i++) {


        // The key is read in loop to crypt the whole file


        if ($i%$keylength == 0) {


            $j=0;


        }


        // Apply a xor operation between the key and the file to crypt


        // This operation eats a lots of CPU time (Stream at 1MiB/s on my server; Intel E2180)


        $tmp = pack("C", $key[$j]);


        $bufferE = ( $buffer[$i]^$tmp); // <==== Le fameux XOR


        


        /*


        echo "<br />key[".$j."]: ";


        var_dump($tmp);


        echo "<br />buffer[".$i."]: ";


        var_dump($buffer[$i]);


        echo "<br />bufferE: ";


        var_dump($bufferE);


        echo "<br />";


        //*/


        


        // Send the encrypted data


        echo $bufferE;


        // Clean the memory


        $bufferE = "";


        $j++;


    }


    $buffer = "";


    flush(); // this is essential for large downloads


    /*


    fclose($fp);


    exit();


    //*/


}


// Close the file and it's finished


fclose($fp);




?>

down

nullhility at gmail dot com ¶

4 years ago


I ran into problems when trying to get php to use a transparent ErrorDocument redirect. 



My document root .htaccess was set up to redirect select error codes to error.php which tests against $_SERVER['REDIRECT_STATUS'] and templates a document based on the status code. 



I had hoped to raise a 404 after a mysql query turned up empty (fyi; before output had started) but page output continued "normally", ie incorrectly.

Because this was inside a template class I was able to manually change the template's include file and $_SERVER['REDIRECT_STATUS'] to output the desired result. I wasn't actually sure if header() worked or not because apache2 has already returned 200 OK after which any header change would only affect the browser, wouldn't it?



I have read about header() working with apache redirects before, is this still available with apache2? Here's some code just to explain the concept:



<?php

class page_template

{

    $include_file;

//...



    function getData ()

    {

         try {

            //...

            if ($result->num_rows == 0) {

                throw new MysqlException("Empty result set");

            }

            //...

        } catch (MysqlException $e) {

            if ($e->getMessage() == "Empty result set") {

                

                header("HTTP/1.0 404 Not Found");

                header("Status: 404 Not Found");

                

                //the below two lines fixed the issue for me

                $_SERVER['REDIRECT_STATUS'] = 404;

                $this->template_file = $_SERVER['DOCUMTENT_ROOT'].'error.php';

         }

    }

}

?>

down

eonrglez at gmail dot com ¶

4 years ago


When you are trying to download a file using PHP it´s important to take into acount the definition of de Header element.




I have seen various examples where the people use a 




<?php


header("Content-Type: application/octet-stream");


header("Content-Disposition: attachment; filename=\"".$filename."\";");


?>





however in adition to this is important add the definition of the cache because if you dont do it you will have problems with some navigators for example IE 7.0 under https protocol will show you a message saying that the file is not available.




here is a working example:




<?php


header("Pragma: public");


      header("Expires: 0");


      header("Cache-Control: must-revalidate, post-check=0, pre-check=0");


      header("Cache-Control: private",false);


      header ( "Content-Type: $filedatatype" );


      header("Content-Disposition: attachment; filename=\"".$FileObj->name."\";");


      header("Content-Transfer-Encoding: binary");


      header("Content-Length: ".$filesize);


  readfile($file);


exit;


?>





where $filedatatype is the data type of the file for example:




   application/pdf

down

bebertjean at yahoo dot fr ¶

4 years ago


If using the 'header' function for the downloading of files, especially if you're passing the filename as a variable, remember to surround the filename with double quotes, otherwise you'll have problems in Firefox as soon as there's a space in the filename.



So instead of typing:



<?php

  header("Content-Disposition: attachment; filename=" . basename($filename));

?>



you should type:



<?php

  header("Content-Disposition: attachment; filename=\"" . basename($filename) . "\"");

?>



If you don't do this then when the user clicks on the link for a file named "Example file with spaces.txt", then Firefox's Save As dialog box will give it the name "Example", and it will have no extension.



See the page called "Filenames_with_spaces_are_truncated_upon_download" at 

http://kb.mozillazine.org/ for more information. (Sorry, the site won't let me post such a long link...)

down

jamie ¶

4 years ago


The encoding of a file is discovered by the Content-Type, either in the HTML meta tag or as part of the HTTP header. Thus, the server and browser does not need - nor expect - a Unicode file to begin with a BOM mark. BOMs can confuse *nix systems too. More info at http://unicode.org/faq/utf_bom.html#bom1



On another note: Safari can display CMYK images (at least the OS X version, because it uses the services of QuickTime)

down

Pr Ahrn ¶

4 years ago


Set a fast ETAG:




<?php


$fp = fopen($_SERVER["SCRIPT_FILENAME"], "r");


$etag = md5(serialize(fstat($fp)));


fclose($fp);


header('Etag: '.$etag);


?>

down

kc8yds at gmail dot com ¶

5 years ago


if you use php to create custom error pages (such as header('HTTP/1.1 500 Internal Server Error');) Internet Explorer ignores you custom page unless it is at least 512 (or sometimes 1024 bytes)




IE ignores custom error pages that are less than 512 (or from what i've read 1024) bytes.




just place this before any output on your custom error page--- and be sure that your custom error page includes proper html tags (it must have a </body> for this specific example to work)




<?php


// set your custom error header --- example --- header('HTTP/1.1 503 Service Unavailable');




function padding($html){


return ($padding=1024-ob_get_length()) > 0 ? str_replace('</body>','<!--'. ($padding>8?str_repeat(' ',$padding-8) :null ).'-->'."\n".'</body>',$html) : $html;


}




ob_start('padding');


?>





and then place this somewhere within the html error page output




<!-- ---- -->




that will auto-adjust to pad the file to 1024 bytes to override the default Internet Explorer error pages.

down

Yasser Khan (MYKSP) ¶

5 years ago


To get PHP to load a PDF (for example) from file, use the following code.




<?php


$filename = $_SERVER['DOCUMENT_ROOT'] . "/path/to/file/my_file.pdf";


header("Cache-Control: public");


header("Content-Description: File Transfer");


header('Content-disposition: attachment; filename='.basename($filename));


header("Content-Type: application/pdf");


header("Content-Transfer-Encoding: binary");


header('Content-Length: '. filesize($filename));


readfile($filename);


?>

down

milin_mestry at yahoo dot com ¶

5 years ago


Hi,



I was trying to save the '.xls' on user machine, which works correctly on

Firefox(developer friendly) but not on Microsoft's IE(Microsoft friendly);



after searching on the net, i found this code which works on both the browser.

Source link: http://www.webdeveloper.com/forum/archive/index.php/t-30248.html



here is the code:

-------------------------

<?php

// downloading a file

$filename = $_GET['path'];



// fix for IE catching or PHP bug issue

header("Pragma: public");

header("Expires: 0"); // set expiration time

header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

// browser must download file from server instead of cache



// force download dialog

header("Content-Type: application/force-download");

header("Content-Type: application/octet-stream");

header("Content-Type: application/download");



// use the Content-Disposition header to supply a recommended filename and

// force the browser to display the save dialog.

header("Content-Disposition: attachment; filename=".basename($filename).";");



/*

The Content-transfer-encoding header should be binary, since the file will be read

directly from the disk and the raw bytes passed to the downloading computer.

The Content-length header is useful to set for downloads. The browser will be able to

show a progress meter as a file downloads. The content-lenght can be determines by

filesize function returns the size of a file.

*/

header("Content-Transfer-Encoding: binary");

header("Content-Length: ".filesize($filename));



@readfile($filename);

exit(0);

?>

down

Patrick ¶

5 years ago


If you come across cache error (when trying to cache your images or other files) like this:



[code=CACHE_FILL_OPEN_FILE] An internal error prevented the object from being sent to the client and cached. Try again later.



You may try sending Cache-Control: private header at the beginning to sort that out



header('Cache-Control: private');

down

cduke420 at gmail dot com ¶

5 years ago


If you have Apache, you can setup your ErrorDocument to point 

to a php file that instructs search engines to try again in 120 seconds.  

This can be helpful when you are doing maintenance on the site.



Then in .htaccess



ErrorDocument 503 /cgi-bin/503.php 

ErrorDocument 500 /cgi-bin/503.php 



<?php

ob_start();

@header("HTTP/1.1 503 Service Temporarily Unavailable");

@header("Status: 503 Service Temporarily Unavailable");

@header("Retry-After: 120");

@header("Connection: Close");

?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>503 Service Temporarily Unavailable</title>

</head><body>

<h1>Service Temporarily Unavailable</h1>

<p>The server is temporarily unable to service your

request due to maintenance downtime or capacity

problems. Please try again later.</p>

</body></html><?php

$g=ob_get_clean();

echo $g;

exit;

exit();

?>



See: 

http://askapache.com/htaccess/503-service-temporarily-unavailable.html

down

gilthans at nospam dot gmail dot com ¶

5 years ago


I've been having trouble with a simple page that simply redirects the page elsewhere. Even the simple:



<?php

Header("Location: http://www.google.com/");

?>



Wouldn't work ("Warning: Headers already sent!").

After double checking for extra spaces, I found out that because I saved the file as a UTF-8 file, and the page wasn't loaded as a UTF-8 page, so some weird character was prepended to the page. After saving the file as a windows-1252 file it worked ok. Hope this someone some headaches.

down

henfiber at gmail dot com ¶

5 years ago


Is there a serious problem with utf8 encoding?

Answer: no- utf8 with bom is a problem..



I spent about 10 hours trying every tip or fix suggested by users to fix the problem with " headers already sent ".



Finally I found the problem with a hex editor.



As it is previously mentioned header() should be the first statement. Moreover php opening and closing tags should be clean of spaces:



So something like this should work:



<?php

header('something ..');

?>



I had applied an authentication scheme to my pages using sessions. The encoding of my files was "utf-8". Though I 

tried cleaning everything about spaces,tabs and other dirt  through my code, I kept getting these " headers already sent errors..". The problem was in utf-8 encoding ( I don't mean the meta:http-equiv=" charset='utf-8' tag but the actual encoding of my file.) When I changed to ANSI everything worked. Actually the utf-8 encoding added three characters at the start of my file : ο»Ώ. This is called bom in utf-8. So if you are going to use utf-8 encodings to your pages and need to put php header code in these pages choose to save "utf8 without bom". (I hope your editor has such an option - I use notepad++ in win32 )

Hope it helps..

down

ik at dynamique dot nl ¶

5 years ago


If you want your download script to work in Safari you'll have to print quotation marks around the filename:

header('Content-Disposition: attachment; filename="'.$fileName.'"');

,otherwise Safari will just save the file as 'scriptname.php'.

down

Aleks ¶

5 years ago


I recently had a hair-threatening problem with Firefox and XHTML 1.0 transitional.



It worked fine with other browsers, and also with HTML 4.1.



To cut a long story short, PHP-generated JS and CSS files were still being reported by the headers as text/html, while in the HTML they were text/css and application/javascript; Firefox having been told the page was XHTML 1.0 became anal-retentive and refused to style the page. (I think the JS still worked but I fixed it anyway.)



Solution:



header('Content-type: text/css');

and

header('Content-type: application/javascript');

down

ryanhanekamp at yahoo dot com ¶

5 years ago


I strongly recommend the "Live HTTP Headers" plugin for Firefox for any work when manually setting headers. (Find it in the addons section on mozilla.com) This allows you to see the headers your PHP script and server are sending, plus Firefox's request headers.



One important thing to note is a conflict with many of the scripts here, including in lasitha dot alawatta's Excel post just a few below me, is that sending multiple headers of the same type from your script does not actually cause multiple lines of output to the browser, at least for the version of PHP5 I'm running, and it's doubtful the browser would process any other than the last line anyhow.



So sending multiple "Pragma: " or "Cache-Control: " headers results in only the last one set in your script to actually be sent.



Also, it's already been pointed out, but setting "Cache-Control: Pre-Check=0, Post-Check=0" does absolutely nothing. I believe only MSIE even uses these values and it specifically IGNORES both of them when both are set to zero.



I've actually had more trouble trying to encourage caching than preventing it, because PHP sends "Cache-Control" and "Pragma" headers either always or at least always with sessions on (and I always have sessions on). The trick is to always send BOTH "Cache-Control" and "Pragma" because if they conflict it's completely up to the browser to resolve. And if you have a custom server in PHP like I'm working on right now, you'll need to sniff for $_SERVER['IF-MODIFIED-SINCE'] and serve up "HTTP/1.1 304 Not Modified" as appropriate.



If you are doing something like this and want to ensure caching of static files, the best way I found was to give an honest "Last-Modified", set an "Expires:" a reasonable time in the future (a few minutes through the year 2038, depending on what you're doing), set "Cache-Control" to "private" or "public", and stay away from "Max-Age".

down

Kal ¶

6 years ago


I spent a long time trying to determine why Internet Explorer 7 wasn't prompting the user to save a download based on the filename specified on a "'Content-Disposition: attachment; filename=..." header line.



I eventually determined that my Apache installation was adding an additional header: "Vary: Host", which was throwing IE - as per http://support.microsoft.com/kb/824847



I found manually setting the Vary header from within PHP as follows header('Vary: User-Agent'); allowed IE to behave as intended.



Hope this saves someone else some time,



- Kal

down

lasitha dot alawatta at gmail dot com ¶

6 years ago


Create MS-Excel file:




<?php




    $export_file = "my_name.xls";


    ob_end_clean();


    ini_set('zlib.output_compression','Off');


    


    header('Pragma: public');


    header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");                  // Date in the past    


    header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');


    header('Cache-Control: no-store, no-cache, must-revalidate');     // HTTP/1.1 


    header('Cache-Control: pre-check=0, post-check=0, max-age=0');    // HTTP/1.1


    header ("Pragma: no-cache");


    header("Expires: 0");


    header('Content-Transfer-Encoding: none');


    header('Content-Type: application/vnd.ms-excel;');                 // This should work for IE & Opera


    header("Content-type: application/x-msexcel");                    // This should work for the rest


    header('Content-Disposition: attachment; filename="'.basename($export_file).'"');




?>

down

jasper at jtey dot com ¶

6 years ago


If you are finding that header() is not working for no obvious reason, make use of the headers_sent() function to drill down to the cause of the problem.




Consider the following scenario,




<?php


// Sign out


signOut();




// Redirect back to the main page


header("Location: http://example.com/mainpage");


?>





If for some reason, the header() call to redirect is not working, there won't be any error messages, making it difficult to debug.  However, using headers_sent(), you may easily find the source of the problem.




<?php


// Sign out


signOut();




/*


 * If headers were already sent for some reason, 


 * the upcoming call to header() will not work...


 */


if(headers_sent($file, $line)){


    // ... where were the mysterious headers sent from?


    echo "Headers were already sent in $file on line $line...";


}




// Redirect back to the main page


header("Location: http://example.com/mainpage");


?>





As the documentation states, "header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP."  In the above debugging solution, you will find out exactly where any of these problematic output or blank lines exist.  You should then be able to resolve the issues with much more ease than if you hunted for the problems aimlessly.

down

Jean-Pierre ¶

6 years ago


You can use the Header command to force a browser to use fresh content (no caching).




However, this only works for the HTML code your code generates. When you have updated images for example (with the same filename) then there's a chance that these are still cached.




The easiest way to solve this problem I found is changing:




<?php


print "<img src='yourfile.jpg'>";


?>





into:




<?php


print "<img src='yourfile.jpg?".time()."'>";


?>





This adds an unique number to the url and wont hurt at all.

down

aooa83(a)dsldotpipexdotcom ¶

6 years ago


apache_request_headers() is only available if PHP is running as an apache module. Various request header values are available in the $_SERVER array, for example:



$_SERVER["HTTP_IF_MODIFIED_SINCE"]



Gives the if modified date in "Sat, 12 Aug 2006 19:12:08 GMT" format.

down

aarondunlap.com ¶

8 years ago


I just made a function to allow a file to force-download (for a script to disallow file links from untrusted sites -- preventing mp3/video leeching on forums), and I realized that a script like that could potentially be very dangerous.



Someone could possibly exploit the script to download sensitive files from your server, like your index.php or passwords.txt -- so I made this switch statement to both allow for many file types for a download script, and to prevent certain types from being accessed.



<?php



function dl_file($file){



    //First, see if the file exists

    if (!is_file($file)) { die("<b>404 File not found!</b>"); }



    //Gather relevent info about file

    $len = filesize($file);

    $filename = basename($file);

    $file_extension = strtolower(substr(strrchr($filename,"."),1));



    //This will set the Content-Type to the appropriate setting for the file

    switch( $file_extension ) {

          case "pdf": $ctype="application/pdf"; break;

      case "exe": $ctype="application/octet-stream"; break;

      case "zip": $ctype="application/zip"; break;

      case "doc": $ctype="application/msword"; break;

      case "xls": $ctype="application/vnd.ms-excel"; break;

      case "ppt": $ctype="application/vnd.ms-powerpoint"; break;

      case "gif": $ctype="image/gif"; break;

      case "png": $ctype="image/png"; break;

      case "jpeg":

      case "jpg": $ctype="image/jpg"; break;

      case "mp3": $ctype="audio/mpeg"; break;

      case "wav": $ctype="audio/x-wav"; break;

      case "mpeg":

      case "mpg":

      case "mpe": $ctype="video/mpeg"; break;

      case "mov": $ctype="video/quicktime"; break;

      case "avi": $ctype="video/x-msvideo"; break;



      //The following are for extensions that shouldn't be downloaded (sensitive stuff, like php files)

      case "php":

      case "htm":

      case "html":

      case "txt": die("<b>Cannot be used for ". $file_extension ." files!</b>"); break;



      default: $ctype="application/force-download";

    }



    //Begin writing headers

    header("Pragma: public");

    header("Expires: 0");

    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

    header("Cache-Control: public"); 

    header("Content-Description: File Transfer");

    

    //Use the switch-generated Content-Type

    header("Content-Type: $ctype");



    //Force the download

    $header="Content-Disposition: attachment; filename=".$filename.";";

    header($header );

    header("Content-Transfer-Encoding: binary");

    header("Content-Length: ".$len);

    @readfile($file);

    exit;

}



?>



This works in both IE and Firefox.

down

guvnor ¶

8 years ago


One that tripped me up for a while...



When I use PHP sessions, the following headers are sent automatically to force the browser not to cache:



Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 

Pragma: no-cache 



If you are having trouble with inline PDFs etc., thses may be causing you problems. As per other notes here if you overwrite these headers before outputting your file, the download problems will go away.



header('Cache-Control:');

header('Pragma:');



If you wish to retain the dynamic content, only send the above if the document you are returning is not HTML.



Its well worth examining your own headers (call your PHP script from another script using get_headers() for instance) before going mad trying to fix something - better still compare the headers from your script with headers from a static web page - it might save you hours of time.

down

jp at webgraphe dot com ¶

9 years ago


A call to session_write_close() before the statement




<?php


    header("Location: URL");


    exit();


?>





is recommended if you want to be sure the session is updated before proceeding to the redirection.




We encountered a situation where the script accessed by the redirection wasn't loading the session correctly because the precedent script hadn't the time to update it (we used a database handler).




JP.

down

-1

admin at examedu dot com ¶

3 months ago


Just avoid and add some code to work for large file



<?php

$filename = "theDownloadedFileIsCalledThis.mp3";

$myFile = "/absolute/path/to/my/file.mp3";



// Add bellow code for mime type

$ext=strtolower(substr($fl,strrpos($myFile,".")));

$mime_types = array(

            '.txt' => 'text/plain',

            '.htm' => 'text/html',

            '.html' => 'text/html',

            '.php' => 'text/html',

            '.css' => 'text/css',

            '.js' => 'application/javascript',

            '.json' => 'application/json',

            '.xml' => 'application/xml',

            '.swf' => 'application/x-shockwave-flash',

            '.flv' => 'video/x-flv',



            // images

            '.png' => 'image/png',

            '.jpe' => 'image/jpeg',

            '.jpeg' => 'image/jpeg',

            '.jpg' => 'image/jpeg',

            '.gif' => 'image/gif',

            '.bmp' => 'image/bmp',

            '.ico' => 'image/vnd.microsoft.icon',

            '.tiff' => 'image/tiff',

            '.tif' => 'image/tiff',

            '.svg' => 'image/svg+xml',

            '.svgz' => 'image/svg+xml',



            // video

            '.3gp' => 'video/3gpp',

            '.3g2' => 'video/3g2',

            '.avi' => 'video/avi',

            '.mp4' => 'video/mp4',

            '.asf' => 'video/asf',

            '.mov' => 'video/quicktime',

        );



if (array_key_exists($ext, $mime_types)){

   $mm_type=$mime_types[$ext];

}else{

   $mm_type="application/octet-stream";

}

$mm_type="application/octet-stream";



header("Cache-Control: public, must-revalidate"); // Avoid this line

header("Pragma: public"); // Add this line

header("Pragma: hack"); // Avoid this line

header("Content-Type: " . $mm_type);

header("Content-Length: " .(string)(filesize($myFile)) ); // Avoid this line

header('Content-Disposition: attachment; filename="'.$filename.'"');

header('Content-Length: ' . filesize($myFile)); // Add this line

header("Content-Transfer-Encoding: binary\n");

ob_clean(); // Add this line



readfile($myFile);



?>



It should be work fine now.

down

-1

rick at softwareafrica dot co dot za ¶

3 months ago


I searched long and hard for this answer and finally found it on Wikipedia, so I'm posing it here to save someone else the trouble!  It's obviously so simple to the 'old hands' that nobody mentions it.


To use PHP to display another web page in your browser, i.e. open or show a webpage that isn't the one containing the PHP code:




header( 'Refresh: 0; url=thankyou.php' );

down

-1

Yousha dot A at Hotmail dot com ¶

6 months ago


a nice NoCache function:



<?php



function No_Cache()

{

    if(headers_sent()) return FALSE;



    header('pragma: public'); # HTTP/1.0

    header('expires: Mon, 26 Jul 1997 05:00:00 GMT');

    @header('last-modified: ' . gmdate('D, d M Y H:i:s') . ' gmt'); # !

    @header('cache-control: no-store, no-cache, must-revalidate'); # HTTP/1.1

    header('cache-control: private, post-check=0, pre-check=0, max-age=0', FALSE); # HTTP/1.1

    header('pragma: no-cache'); # HTTP/1.0

    header('expires: 0');

    return;

}



?>

down

-1

info at kenovate dot com ¶

1 year ago


To use header() with 'content-type', why don't you use mime_content_type() function rather than checking the type on the basis of extension?


Example code:




<?php


$file="test.docx";


header("Pragma: public");


header('Content-disposition: attachment; filename='.$file);


header("Content-type: ".mime_content_type($file));


header('Content-Transfer-Encoding: binary');


ob_clean(); 


flush(); 


readfile($file);


?>





Use $file to map to whichever type of file.


Note: the mime types should already be defined in apache settings

down

-1

kenaniah at bestphp dot net ¶

5 years ago


If you are looking to send files such as PDFs or Excel spreadsheets or Microsoft Office documents and are having issues with IE7, IE6, or IE5.5 not being able to open/download the files over an SSL connection, but still need not allow caching, then set these two headers:

<?php

header("Cache-Control: maxage=1"); //In seconds

header("Pragma: public");

?>

Granted, this will cache your file for one second, but it's as close to an un-cached download as you can get when using IE over SSL.



Some basic info on the issue can be found here: http://support.microsoft.com/kb/812935

down

-1

pete at flifl dot com ¶

9 years ago


Is Unicode, UTF-8 and setcookie, session_start at the same time impossible...? 




Well, then you might need this...:




1) Keep your source files in ASCII to avoid the Byte Order Mark (BOM) confusion hell when include'ing or require'ing multiple files and avoid cookies not working because of the "header already sent" thing..




2) use this source:


-------->


<?php


   header('Content-Type: text/html; charset=utf-8');


   header('Set-Cookie: track=978268624934537');


?>


<html>


   <head>


       <meta http-equiv=Content-Type content="text/html; charset=utf-8" />


<--------




Output through Apache to the browser will be UTF-8 and does not require browser to get page twice and the cookie works.


Your Chinese or cyrillic characters will work and come on out right too, provided you make an input script to put them into mysql using this scheme too.




Seems to me to be the way to use utf-8 with cookies. I hope you like it.




Peter Sierst Nielsen

down

-3

sedativchunk at gmail dot com ¶

1 year ago


I already see the PHP documentation contains this but I wanted to leave a note to let people know how important it is. ALWAYS use the exit command after a PHP header redirect!



<?php

header ("Location: index.php");



// Make sure you exit your code

exit;

?>



Alot of examples on the web fail to follow the statement with the exit command. I was contracted to do a huge social networking site several years ago and left the exit statement out of the code. This led to huge leaks in security and also caused a PHP headers already sent message. It caused me a major headache and I didn't realize what was doing it at the time. Now I use it in all my jobs.



That's the thing with PHP, no one really teaches it formally so you have to make mistakes with it to learn things like this. It's in the PHP documentation but it's something I completely  missed. Maybe this will be a nice heads up for someone looking on using the header function.

down

-2

Anonymous ¶

1 year ago


If your header directive is not working, notice that there should be no space between the HTTP header name and the colon (:).



Correct :

header("Location: http://www.example.com) ;



Incorrect but fails without any notice :

header("Location : http://www.example.com) ;

Since there is no "Location :" HTTP header, it is just left out in the HTTP response.

down

-2

pineapplecharm at gmail dot com ¶

4 years ago


I've just discovered that Chrome doesn't perform a Location: instruction unless it gets a Status: first.  It's also sensitive to capitalisation.



<?php



    header("Status: 200");

    header("Location: /home.php");

    exit;



?>

down

-2

manuzhai dot REMOVE dot THIS at php dot net ¶

9 years ago


If you are using a redirect to an ErrorDocument, you may want to prefix your output with header("HTTP/1.0 200 OK"); to make sure automated clients don't think your file wasn't found.

down

-4

Denis Sokolov ¶

1 year ago


A proper way to encode a filename in Content-Disposition header is described in RFC 5987.


However, that is not supported in IE below 9, so you need a fallback.


You can not send two Content-Disposition headers, but you can set two filename attributes:




  <?php


  $simple = 'file.jpg';


  $fancy = 'my € balance ¤ ½.jpg';


  header('Content-Disposition: attachment; filename='.$simple.'; filename*=utf-8\\'\\''.rawurlencode($fancy));


  ?>

down

-2

greg d0t pwpp 4t gmail d0t com ¶

6 years ago


More on downloading files...



Here's a slight improvement to the method provided by Nick Sterling.



I tried this and it works great, but using fopen ran into memory limit problems.



By using readfile($filename), I solved this problem without having to change the ini settings.



readfile() reads a file and writes it to the output buffer.



Here's my version of the code:



<?php

$filename = "theDownloadedFileIsCalledThis.mp3";

$myFile = "/absolute/path/to/my/file.mp3";



$mm_type="application/octet-stream";



header("Cache-Control: public, must-revalidate");

header("Pragma: hack"); // WTF? oh well, it works...

header("Content-Type: " . $mm_type);

header("Content-Length: " .(string)(filesize($myFile)) );

header('Content-Disposition: attachment; filename="'.$filename.'"');

header("Content-Transfer-Encoding: binary\n");



readfile($myFile);



?>

down

-2

Hayley Watson ¶

6 years ago


As an alternative to using header('Content-Type: ****') on almost every page, the default Content-Type (and character set, too, if needed) can be set in php.ini under the "default_mimetype" and "default_charset" entries.

down

-2

mailforlindsay at gmail dot com ¶

6 years ago


Careful! This line of code cause IIS to crash on PHP 4.3.4 and maybe others.




<?php


header("location:/currentfile.php"); 


// forward slash causes crash


// currentfile.php is the exact basename of this file 


?>





Learned this the hard way.

down

-2

emmett_the_spam at yahoo dot com ¶

9 years ago


This is a heads-up not just for php, but for any method of creating a 302 redirect.  Mac IE 5.1.4 (osx) has a serious bug when it comes to the 302.



Say you have a form post page A with action pointing to a submit page B, and the submit page B processes and sends a 302 redirect back to the form page A.  All works fine with that part.  Now hit refresh while on page A, and the last form POST is suddenly delivered to page A!



This can be a very confusing bug to deal with, depending on how your code handles incoming post data.  It could also be potentially very dangerous in terms of data loss, if it occurs within database administration pages (where I ran into it).  What you may want to do is plan your site so that the form page itself never needs to read POST data, and then ignore all POST data.  Either that, or in the location url from your header function add a query argument such as "nopost=1" which, when present, indicates to your page A code to ignore the POST data.



I've tested with Firebird Mac/PC, and IE6 on PC, and those browsers do not exhibit this behaviour.

add a note

header

Description

Parameters

Return Values

Changelog

Examples

Notes

See Also