How to validate HTTP_ACCEPT_LANGUAGE?

Question

Since the script gets $_SERVER['HTTP_ACCEPT_LANGUAGE'] from the visitor it could be anything. So how can I validate it? What is acceptable?

To get the first language inside the string I use:

substr($_SERVER["HTTP_ACCEPT_LANGUAGE"],0,2)

Answer 1

For example

$user_lang= split(",",$_SERVER["HTTP_ACCEPT_LANGUAGE"]);
$language = $user_lang[0];

// header injection.
if(stripos($language, 'Content-Type') !== FALSE ) { exit; }