your Web server. If you must allow this, pass the information through the
escapeshellcmd function first.
<?
// list files in directory
print("PRE>");
system("ls -l");
print("/PRE>");
?>
HTTP Headers
HTTP headers are special commands sent between the browser and Web server before
the browser receives any content. Some of the headers let the server know which file the
browser wants. Others may instruct the browser about the type of file it will soon be sent.
To learn more about headers, refer to the HTTP specification that was originally
described in RFC 1945. It and other documents may be found at the W3C site, which has
a section devoted to the HTTP protocol http://www.w3.org/Protocols/. For an
overview of how headers work with PHP, turn back to Chapter 7.
boolean header(string http_header)
The header function sends an HTTP header to the browser. It must be called before any
output is sent to the browser, inside or outside PHP tags. You may wish to turn back to
the description of HTTP connections in Chapter 7. Many different kinds of headers may
be sent. Perhaps the most common is a location header, which redirects the browser to
another URI.
Each time you call header, it is pushed onto a stack. If you are unfamiliar with the
concept of a stack, think of it as a list of items placed one on top of another. When your
script gets to the point of sending content to the browser, headers are pulled from the
stack one at a time. This means headers are sent to the browser in reverse order.
Headers are also used to send cookies, but PHP's setcookie function is better suited for
this purpose.
One common trick the header function provides is sending a user to another page, as
demonstrated in the example below. Another is to force the browser to either download
the file or display it in an OLE container. This isdone by setting the Content-type
header, which PHP defaults to text/html. Sending a value of application/octet-
stream will cause most browsers to prompt the user for where to save the file. You can
also use other MIME types to get the browser to run a helper application. For example, if
you use application/vnd.ms-excel, a Windows machine with Microsoft Excel
installed will launch Excel in an OLE container inside the browser window. In this case
you don't need to send an actual Excel file. A simple tab-delimited file will be interpreted
correctly.