tags:

views:

55

answers:

2

The HTTP/1.1 RFC stipulates "The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response." I know Apache honors the RFC but modules don't have to. My question is, does mod_php5 honor this?

The reason I ask is because I just came across an article saying that PHP developers should check this themselves with:

    if (stripos($_SERVER['REQUEST_METHOD'], 'HEAD') !== FALSE) {
        exit();
    }

I googled a second and not much turned up, other than some people saying they try to strange things like mod_rewrite/redirect after getting HEAD requests and some old bug ticket from like 2002 claiming that mod_php still executed the rest of the script by default. So I just ran a quick test by using PECL::HTTP to run

    http_head('http://mysite.com/test-head-request.php');

while having:

    <?php error_log('REST OF SCRIPT STILL RAN'); ?>

in test-head-request.php to see if the rest of the script still executed, and it didn't.

I figure that should be enough to settle it, but want to get more feedback and maybe help clear up confusion for anyone else who has wondered about this. So if anyone knows off the top of their head (no pun intended) - or have any conventions they use for receiving HEAD requests, that'd be great. Otherwise, I'll grep the C source later and respond in a comment with my findings. Thanks.

A: 

I just did a quick test with a PHP file, temp.php, which contains this portion of code :

<?php

echo "Hello, World!\n";

die;


Sending an HTTP GET request to that file gets me the content of the page :

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /temp/temp.php HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Thu, 08 Apr 2010 20:17:35 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.3.2RC2
Vary: Accept-Encoding
Content-Length: 14
Content-Type: text/html

Hello, World!


While sending an HTTP HEAD request doesn't :

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD /temp/temp.php HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Thu, 08 Apr 2010 20:17:50 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.3.2RC2
Vary: Accept-Encoding
Content-Type: text/html


Not sure this is always true, though...

I remember a situation (some time ago ; was PHP 5.1) in which I've had to test myself, in the PHP code, if I was getting a GET or a HEAD request.



EDIT : After an additionnal test

I just did another test : my temp.php file now contains this :

<?php

file_put_contents('/tmp/a.txt', $_SERVER['REQUEST_METHOD'], FILE_APPEND);
var_dump($_SERVER['REQUEST_METHOD']);

die;

Sending an HTTP HEAD request, I get this :

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD /temp/temp.php HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Thu, 08 Apr 2010 20:21:30 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.3.2RC2
Vary: Accept-Encoding
Content-Type: text/html

Connection closed by foreign host.

Here, no output.

BUT, looking at the /tmp/a.txt file :

$ cat /tmp/a.txt 
HEAD

So : no output sent by the server doesn't mean that there is nothing done ;-)

Pascal MARTIN
Sorry, I should have been more clear... I was more concerned with if any embedded PHP code in the HTML body would still be parsed. See my comment on webbiedave's answer. Thanks
rkulla
+2  A: 

The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response.

That is why the check should not be performed. Clients should have confidence that HEAD requests process just the same as if a GET was issued (database connection, processing, etc...).

Addendum:

When performing

HEAD /test.php?a=3 HTTP/1.1
Host: somesite.com

PHP will still fill $_GET (and $_REQUEST) with the variables placed in the query string even though it was not a GET request. This allows compliance with the HEAD definition.

webbiedave
Yeah, if you put header('Foo: '.$_GET['header']); error_log('test'); at the top of the script it returns that header/value and logs. If you put that code in an output buffer in the HTML body neither gets ran. So PHP seems to not only not return the message-body, it doesn't even process it. I'll just continue to exit; after all my header() calls. Thanks
rkulla
Glad I could help.
webbiedave