Same name and namespace in other branches
  1. 4.6.x includes/common.inc \drupal_set_header()
  2. 4.7.x includes/common.inc \drupal_set_header()
  3. 5.x includes/common.inc \drupal_set_header()

Set an HTTP response header for the current page.

Note: When sending a Content-Type header, always include a 'charset' type, too. This is necessary to avoid security bugs (e.g. UTF-7 XSS).

Note: No special sanitizing needs to be done to headers. However if a header value contains a line break a PHP warning will be thrown and the header will not be set.

15 calls to drupal_set_header()
blogapi_rsd in modules/blogapi/blogapi.module
drupal_access_denied in includes/common.inc
Generates a 403 error if the request is not allowed.
drupal_get_headers in includes/common.inc
Get the HTTP response headers for the current page.
drupal_json in includes/common.inc
Return data in JSON format.
drupal_not_found in includes/common.inc
Generates a 404 error if the request can not be handled.

... See full list

File

includes/common.inc, line 150
Common functions that many Drupal modules will need to reference.

Code

function drupal_set_header($header = NULL) {

  // We use an array to guarantee there are no leading or trailing delimiters.
  // Otherwise, header('') could get called when serving the page later, which
  // ends HTTP headers prematurely on some PHP versions.
  static $stored_headers = array();
  if (strlen($header)) {

    // Protect against header injection attacks if PHP is too old to do that.
    if (version_compare(PHP_VERSION, '5.1.2', '<') && (strpos($header, "\n") !== FALSE || strpos($header, "\r") !== FALSE)) {

      // Use the same warning message that newer versions of PHP use.
      trigger_error('Header may not contain more than a single header, new line detected', E_USER_WARNING);
    }
    else {
      header($header);
      $stored_headers[] = $header;
    }
  }
  return implode("\n", $stored_headers);
}