News Feed

News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way Blog:
Using the Accept Header to version your API
October 20, 2014 @ 12:56:46

On the blog today there's a new tutorial talking about the use of the Accept header in REST HTTP requests and, more specifically, working with it in a Symfony-based application.

I investigated different ways to version a REST API. Most of the sources I found, pretty much all said the same thing. To version any resource on the internet, you should not change the URL. The web isn't versioned, and changing the URL would tell a client there is more than 1 resource. [...] Another thing, and probably even more important, you should always try to make sure your changes are backwards compatible. That would mean there is a lot of thinking involved before the actual API is built, but it can also save you from a big, very big headache. [...] Of course there are always occasions where BC breaks are essential in order to move forward. In this case versioning becomes important. The method that I found, which appears to be the most logical, is by requesting a specific API version using the Accept header.

He shows how to create a "match request" method in his custom Router that makes use of the AcceptHeader handling to grab the header data and parse it down into the type and API version requested. He also includes an example of doing something similar in the Symfony configuration file but hard-coding the condition for the API version by endpoint.

0 comments voice your opinion now!
accept header rest api versioning symfony tutorial


Jason Fox:
Use the Accept Header to Set Your Return Data With Zend Framework 2
February 22, 2013 @ 11:42:35

Jason Fox has a recent post to his site about using "Accept" headers in Zend Framework 2 apps to set the format of the return data from a request.

In this article I detail the process by which you can set up your controller actions in Zend Framework 2 to return either the default HTML, or JSON data depending on the "Accept Header" in the request. It incorporates changes related to a security update added since this very helpful article was written, and expands on some of the intricacies of making your web layer objects better "json providers."

His example uses a "ViewJsonStrategy" and the criteria to look for to determine which version to respond with (HTML or JSON) - the Accept header. It uses the JSON encoder/decoder instead of the built-in PHP one to he could use the included "toJson" method to customize the output of the JSON instead of just returning everything.

0 comments voice your opinion now!
accept http header zendframework2 tutorial json
REST - Can You do More than Spell It? Part 4
May 21, 2012 @ 08:44:26 has posted the latest tutorial in their series covering RESTful APIS - part four of "REST - Can you do More than Spell it?" In this latest part of the series, they focus on something very key to RESTful services, the HTTP spec (and headers).

We're getting close to the end now, and the only thing remaining is to discuss a little more about the protocol you'll most likely use in any RESTful application that you write. Because HTTP is so often used with REST, that's the protocol I'd like to focus on.

He goes through the structure of a typical (raw) HTTP header and talks about some of the more common headers and what actions/settings they represent. He includes examples of setting headers (with header, naturally) and a curl example showing how to set the request headers. The tutorial is finished off with a brief mention of custom HTTP headers and the the good and bad that comes with them.

0 comments voice your opinion now!
rest api tutorial series http spec protocol status header

Phil Sturgeon's Blog:
Hijacking Headers to Force Downloads
March 29, 2012 @ 11:29:28

Phil Sturgeon shows how you can hijack headers in his latest post to force a download to the client (even on a hosted service like PagodaBox).

The question [I posed on Twitter] was: "How to force a download of any file of any type, not on your server, without Apache tweaking? Images are displaying and need em to download." Essentially, I wanted to be able to link to a file that was not on the server in question and anywhere in the world, which could be of any size, any media type and could be potentially very high traffic.

Answers varied from using readfile to just letting the browser handle it. None of the responses were quick right until he came across one that recommended some settings in an .htaccess file. It uses

0 comments voice your opinion now!
file download force header question htacess
Add a Content Security Policy(CSP) to your Web Site with PHP
August 25, 2011 @ 13:11:36

Related to this other post about content security policies in PHP sites, has a quick new post about what you'll need to add to your application to implement a policy of your own.

Content Security Policy(CSP) is a mechanism in the browser that restricts what content will be requested and run by the browser. CSP does this by passing in a specific response header that tells the browser what resources (images, javascript, css, frames, etc) can be requested and accepted to execute. There are multiple ways to setup CSP for your web site, you can use your web server configuration like I showed in a previous example or use a dynamic scripting language like PHP.

What it really boils down to is setting a header, either X-Content-Security-Policy or X-Content-Security-Policy-Report-Only, to tell the browser what security policy to use and how to honor it. You can find out more about content security policies from this page on the Mozilla wiki. CSPs allow you to define how your site's content interacts and help to prevent issues like XSS and data injection.

0 comments voice your opinion now!
content security policy tutorial header
Preventing PHP Mail(...) Header Injections
April 22, 2011 @ 11:06:23

On the Dream In Code forums there's a recent post showing you how to prevent mail() header injections when taking user input, like from a form.

PHP's mail() function is a very useful and powerful function, even to the point that it is very easy to exploit. A way hackers exploit this function is a method called email header injection. [...] I'm sure most of you can already tell that's not going to be pretty since we didn't check the user input and so forth. PHP provides us with functions such as filter_var which will validate user input and either return false if the validation fails or return the filtered data.

He includes an example of using this filtering methods to check the user input for malicious information - validating that the "to" address is a valid email (FILTER_VALIDATE_EMAIL) and a sanitize() method that removes things like newlines, carriage returns and a few other characters.

1 comment voice your opinion now!
prevent mail header injection tutorial filtervar sanitize

Artur Ejsmont's Blog:
HTTP response splitting and mail headers splitting attacks
November 15, 2010 @ 10:57:16

In a recent post to his blog Artur Ejsmont looks at an attack that could potentially leave a hole open in your PHP-based application for a cross-site scripting (XSS) attack - HTTP response splitting (mail headers too).

There are two similar security issues both taken care of by Suhosin patch and strict escaping/encoding rules. They both relate to injecting new lines into headers of network protocols. They are not very well known and i think its worth mentioning it. HTTP response splitting is a web based attack where hacker manages to trick the server into injecting new lines into response headers along with arbitrary code. If you use GET/POST parameters in the headers like cookie or location, then someone could provide new lines with XSS attack.

He gives some examples of how it might work via the header function so that superglobals might be abused (like adding information on the URL to inject into $_GET). To prevent the attack, you just have to ensure that no special characters make it into the headers or cookies. He also mentions that the Suhosin patch takes care of the issue automatically.

2 comments voice your opinion now!
http response header split example attack

Lorna Mitchell's Blog:
Missing pcre.h when installing pecl_oauth
September 27, 2010 @ 12:58:50

If you've ever come up against an error when trying to compile the pecl_oauth package (from the PECL repository), you might take a look at this new post from Lorna Mitchell on how she solved the issue and got the compile running smoothly again.

When I tried to install from PECL, it grabbed the files, ran the configure step but stopped with an error status during make. [...] Closer inspection showed this line around the point things started to go wrong: Error [...] pcre.h: No such file or directory. I didn't have the header files for pcre installed - in ubuntu the headers are in the -dev packages.

A quick call to "aptitude" to grab and install those development libraries and she was back up and running. She's running Ubuntu, but this tip is cross-distribution - you'll just have to use the package manager (and package name) of your distribution's choice.

0 comments voice your opinion now!
pecloauth install compile pecl oauth pcre header

Jozef Chuťka's Blog:
Image Caching With PHP
June 04, 2010 @ 11:33:44

Jozef Chutka was working on a Flash-based application and, in trying to optimize it, figured that he'd set up an image caching system to keep the app from having to grab the images each time. The result is shared in this post - a simple tool that relies on HTTP headers to notify the client if anything's changed.

I can not hold all of those [requests] within flash player cache because some of them may change, and I also want shortest possible respond times and client-server traffic reduction as well as server side computing reduction. That's where browser caching comes into the scene. I have experimented a bit with all possible http headers to understand each browser specifics and I came with a solution.

He includes a snippet of code that shows how it would check the current image and send the correct headers as to whether or not it needs to be updated from the cached version the application has. This also keeps you from having random parameters in your requests because the server always assures the content is fresh.

0 comments voice your opinion now!
caching image flash http header tutorial

Brian Moon's Blog:
ob_start and HTTP headers
February 01, 2010 @ 14:38:27

Brian Moon has a new post to his blog today looking at something it's common for web applications to use, ob_start, and what about HTTP headers makes it work to prevent the infamous "headers already sent" message.

HTTP is the communication protocol that happens between your web server and the user's browser. Without too much detail, this is broken into two pieces of data: headers and the body. The body is the HTML you send. But, before the body is sent, the HTTP headers are sent.

He includes a sample raw HTTP response for a page and how the ob_start function works to buffer the output of the resulting page to save the header information until the buffer is echoed or cleaned out. There is a down side he mentions, though - there's no partial buffering built in so it's an all or nothing short.

0 comments voice your opinion now!
obstart http header buffer

Community Events

Don't see your event here?
Let us know!

api interview install framework series language package update podcast release laravel zendserver list library deployment symfony tips opinion introduction community

All content copyright, 2014 :: - Powered by the Solar PHP Framework