Friday, September 25, 2009

PHP5: Sending headers

Http headers can be sent only before any other output. This is a simple requirement and funny how big impact it may have on application architecture and how many tricky questions may be asked about it. Here is one from the Zend PHP 5 Certification Mock Exam.

You will find correct answer in bold.

One can ensure that headers can always be sent from a PHP script by doing what?
  • Enable header buffering in PHP 5
  • Set the header.force INI directive to true
  • Enable output buffering in PHP 5
  • There is no way to ensure that headers can always be set, they must always be checked
  • None of the above

The header documentation page says: "As of PHP 4, you can use output buffering to get around this problem". That obviously makes sense on the contrary to header buffering suggested by the first answer. Header buffering would not help because the troublemaker here is premature output.
According to PHP manual there is no such directive as header.force and does not seem to have much sense as well, which shoots off the second answer.
The third one has some potential but is not correct - output buffering has been avaiable since PHP4.
And as output buffering seems to combat the problem successfully, the fourth answer is there only to trick you.

3 comments:

  1. Are you sure?

    Of course output buffering is available since PHP4, but answer 3 still is correct, since it does not say that you can not do it in PHP4?

    I'm still looking for the third answer to "When working with a database, which of the following can be used to mitigate the possibility of exposing your database credentials to a malicious user?" (choose 3)

    [ ] Moving all database credentials into a single file
    [x] Moving all database credentials outside of the document root
    [x] Restricting access to files not designed to be executed independently
    [ ] Setting creditial information as system environment variables
    [ ] Using PHP constants instead of variables to store credentials

    2 and 3 are fairly clear, but what is the third option?

    ReplyDelete
  2. Hi Balu, I just found the answer to your question. I believe the correct answers should be B,C and D, as can be seen here: http://phpsec.org/projects/guide/3.html .

    I hope this helps.

    ReplyDelete
  3. [x] Setting creditial information as system environment variables

    That is your third answer, Balu.

    Thanks for the main post - very helpful.

    ReplyDelete