Basic JSON/JSON-P service in PHP

jsonp.php

<?php

// Prevent content sniffing attacks such as http://mths.be/bst.
header('X-Content-Type-Options: nosniff');

// Note: The user-provided callback name must be filtered to prevent attack
// vectors. This script simply removes any symbols other than `[a-zA-Z0-9$_]`
// from the input. Sadly, this blocks the use of some valid JavaScript
// identifiers, and also accepts a few invalid ones. See
// http://mathiasbynens.be/notes/javascript-identifiers for details.
// The callback name is prefixed with an empty multi-line comment (`/**/`) to
// prevent content sniffing attacks in browsers without `nosniff` support.
$callback = isset($_GET['callback'])
	? '/**/' . preg_replace('/[^a-zA-Z0-9$_.]/s', '', $_GET['callback'])
	: false;

// Send the appropriate MIME type: JSON or JSON-P/JavaScript?
header('Content-Type: ' .
	($callback ? 'application/javascript' : 'application/json') .
	';charset=UTF-8');

// There’s no reason not to allow CORS for public APIs.
// See http://annevankesteren.nl/2012/12/cors-101 for details.
header('Access-Control-Allow-Origin: *');

// Your data goes here. It’s recommended to always use an associative array
// here, so that the resulting JSON represents a non-array object, as this
// prevents JSON hijacking attacks. See http://mths.be/bss for details.
$data = array('some-key' => 'some-value');

// Output the end result.
echo ($callback ? $callback . '(' : '') .
	json_encode($data, JSON_UNESCAPED_SLASHES) . // ≥ PHP 5.4.0
	($callback ? ')' : '');

?>