Can $ _SERVER ['SERVER_PROTOCOL'] be entered?

Question

Can $ _SERVER ['SERVER_PROTOCOL'] be entered?

I am running a PHP site using Apache + mod_fastcgi. An error occurred in the Apache error log:

malformed header from script 'ajax.php': Bad header: /;ls -la HTTP/1.0 400 Bad Requ

Here is just a snippet of code in ajax.php that sends the header:

if(!isset($_POST['action'])) {
    header ($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
    exit;
}

So where did the /;ls -lathing come from ? Can SERVER_PROTOCOL be entered in any way?

+4

php

Camaross May 18, '15 at 13:54

source share

1 answer

Joe · Answer 1 · 2015-05-21T09:29:15+0000

There are two special case header calls. The first is a header that starts with the string "HTTP /" (the case does not matter), which will be used to determine the HTTP status code to send. (from PHP header documentation )

The correct (and safe) way to send the status code as above is as follows:

header('HTTP/1.1 400 Bad Request');

HTTP/1.0 HTTP/1.1, .

Can $ _SERVER ['SERVER_PROTOCOL'] be entered?

More articles: