PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source programming language. It is especially suited for web development. The unique thing about PHP is that it serves both beginners as well as experienced developers. It has a low barrier to entry so it is easy to get started with, and at the same time, it provides advanced features offered in other programming languages.

Open-Source

It's an open-source project. Feel free to get involved.

Language Specification

PHP has a language specification.

Supported Versions

Currently, there are three supported versions: 5.6, 7.0 and 7.1.

Each release branch of PHP is fully supported for two years from its initial stable release. After this two year period of active support, each branch is then supported for an additional year for critical security issues only. Releases during this period are made on an as-needed basis: there may be multiple point releases, or none, depending on the number of reports.

Unsupported Versions

Once the three years of support are completed, the branch reaches its end of life and is no longer supported.

A table of end of life branches is available.

Issue Tracker

Bugs and other issues are tracked at https://bugs.php.net/.

Mailing Lists

Discussions about PHP development and usage are held on the PHP mailing lists.

Official Documentation

Please help to maintain or to translate the official PHP documentation.

You might use the editor at edit.php.net. Check out our guide for contributors.

Type checking

Some of the documentation regarding variables and types mentions that PHP does not use static typing. This is correct, but PHP does some type checking when it comes to function/method parameters and return values (especially with PHP 7).

You can enforce parameter and return value type-checking by using type-hinting in PHP 7 as follows:

<?php

/**
 * Juggle numbers and return true if juggling was
 * a great success.
 */
function numberJuggling(int $a, int $b) : bool
{
    $sum = $a + $b;

    return $sum % 2 === 0;
}

Note: PHP's gettype() for integers and booleans is integer and boolean respectively. But for type-hinting for such variables you need to use int and bool. Otherwise PHP won't give you a syntax error, but it will expect integer and boolean classes to be passed.

The above example throws an error in case non-numeric value is given as either the $a or $b parameter, and if the function returns something else than true or false. The above example is "loose", as in you can give a float value to $a or $b. If you wish to enforce strict types, meaning you can only input integers and not floats, add the following to the very beginning of your PHP file:

<?php
declare('strict_types=1');

Before PHP 7 functions and methods allowed type hinting for the following types:

• callable (a callable function or method)
• array (any type of array, which can contain other arrays too)
• Interfaces (Fully-Qualified-Class-Name, or FQDN)
• Classes (FQDN)

See also: Outputting the Value of a Variable

See also

• Manipulating a single array
• Executing upon an array
• Array iteration
• Processing multiple arrays together

• Make sure you have error reporting turned on to see any errors.

• If you have access to PHP's error log files, check those.

• Is the mail() command configured properly on your server? (If you are on shared hosting, you can not change anything here.)

• If E-Mails are just disappearing, start an E-Mail account with a freemail service that has a spam folder (or use a mail account that does no spam filtering at all). This way, you can see whether the E-Mail is not getting sent out, or perhaps sent out but filtered as spam.

• Did you check the "from:" address you used for possible "returned to sender" mails? You can also set up a separate bounce address for error mails.

The E-Mail I'm sending is getting filtered as spam. What should I do?

• Does the sender address ("From") belong to a domain that runs on the server you send the E-Mail from? If not, change that.

  Never use sender addresses like [email protected]. Use reply-to if you need replies to arrive at a different address.

• Is your server on a blacklist? This is a possibility when you're on shared hosting when neighbours behave badly. Most blacklist providers, like Spamhaus, have tools that allow you to look up your server's IP. There's also third party tools like MX Toolbox.

• Some installations of PHP require setting a fifth parameter to mail() to add a sender address. See whether this might be the case for you.

• If all else fails, consider using email-as-a-service such as Mailgun, SparkPost, Amazon SES, Mailjet, SendinBlue or SendGrid—to name a few—instead. They all have APIs that can be called using PHP.

Classes and Interface components

Classes may have properties, constants and methods.

• Properties hold variables in the scope of the object. They may be initialized on declaration, but only if they contain a primitive value.
• Constants must be initialized on declaration and can only contain a primitive value. Constant values are fixed at compile time and may not be assigned at run time.
• Methods must have a body, even an empty one, unless the method is declared abstract.

class Foo {
    private $foo = 'foo'; // OK
    private $baz = array(); // OK
    private $bar = new Bar(); // Error!
}

Interfaces cannot have properties, but may have constants and methods.

• Interface constants must be initialized on declaration and can only contain a primitive value. Constant values are fixed at compile time and may not be assigned at run time.
• Interface methods have no body.

interface FooBar {
    const FOO_VALUE = 'bla';
    public function doAnything();
}

Prior to PHP 5.5, you may use the compatibility pack to provide the password_* functions. It is highly recommended that you use the compatibility pack if you are able to do so.

With or without the compatibility pack, correct Bcrypt functionality through crypt() relies on PHP 5.3.7+ otherwise you must restrict passwords to ASCII-only character sets.

Note: If you use PHP 5.5 or below you're using an unsupported version of PHP which does not receive any security updates anymore. Update as soon as possible, you can update your password hashes afterwards.

Algorithm Selection

Secure algorithms

• bcrypt is your best option as long as you use key stretching to increase hash calculation time, since it makes brute force attacks extremely slow.
• argon2 is another option which will be available in PHP 7.2.

Insecure algorithms

The following hashing algorithms are insecure or unfit for purpose and therefore should not be used. They were never suited for password hashing, as they're designed for fast digests instead of slow and hard to brute force password hashes.

If you use any of them, even including salts, you should switch to one of the recommended secure algorithms as soon as possible.

Algorithms considered insecure:

• MD4 - collision attack found in 1995
• MD5 - collision attack found in 2005
• SHA-1 - collision attack demonstrated in 2015

Some algorithms can be safely used as message digest algorithm to prove authenticity, but never as password hashing algorithm:

• SHA-2
• SHA-3

Note, strong hashes such as SHA256 and SHA512 are unbroken and robust, however it is generally more secure to use bcrypt or argon2 hash functions as brute force attacks against these algorithms are much more difficult for classical computers.

$soap->requestInfo(['a', 'b', 'c']);

Issue with 32 bit PHP: In 32 bit PHP, numeric strings greater than 32 bits which are automatically cast to integer by xs:long will result in it hitting the 32 bit limit, casting it to 2147483647. To work around this, cast the strings to float before passing it in to __soapCall().

From the PHP documentation:

What are namespaces? In the broadest definition namespaces are a way of encapsulating items. This can be seen as an abstract concept in many places. For example, in any operating system directories serve to group related files, and act as a namespace for the files within them. As a concrete example, the file foo.txt can exist in both directory /home/greg and in /home/other, but two copies of foo.txt cannot co-exist in the same directory. In addition, to access the foo.txt file outside of the /home/greg directory, we must prepend the directory name to the file name using the directory separator to get /home/greg/foo.txt. This same principle extends to namespaces in the programming world.

Note that top-level namespaces PHP and php are reserved for the PHP language itself. They should not be used in any custom code.

Autoloading will only work for libraries that specify autoload information. Most libraries do and will adhere to a standard such as PSR-0 or PSR-4.

Helpful Links

• Packagist – Browse available packages (which you can install with Composer).
• Official Documentation
• Official Getting Started guide

Few Suggestions

1. Disable xdebug when running Composer.
2. Do not run Composer as root. Packages are not to be trusted.

Filename syntax

Most filenames passed to functions in this topic are:

1. Strings in nature.
   • File names can be passed directly. If values of other types are passed, they are cast to string. This is especially useful with SplFileInfo, which is the value in the iteration of DirectoryIterator.
2. Relative or absolute.
   • They may be absolute. On Unix-like systems, absolute paths start with /, e.g. /home/user/file.txt, while on Windows, absolute paths start with the drive, e.g. C:/Users/user/file.txt
   • They may also be relative, which is dependent on the value of getcwd and subject to change by chdir.
3. Accept protocols.
   • They may begin with scheme:// to specify the protocol wrapper to manage with. For example, file_get_contents("http://example.com") retrieves content from http://example.com.
4. Slash-compatible.
   • While the DIRECTORY_SEPARATOR on Windows is a backslash, and the system returns backslashes for paths by default, the developer can still use / as the directory separator. Therefore, for compatibility, developers can use / as directory separators on all systems, but be aware that the values returned by the functions (e.g. realpath) may contain backslashes.

Type hinting or type declarations are a defensive programming practice that ensures a function's parameters are of a specified type. This is particularly useful when type hinting for an interface because it allows the function to guarantee that a provided parameter will have the same methods as are required in the interface.

Passing the incorrect type to a type hinted function will lead to a fatal error:

Fatal error: Uncaught TypeError: Argument X passed to foo() must be of the type RequiredType, ProvidedType given

Full information is at Stack Overflow.

Note that functions and language constructs (e.g. print) are always evaluated first, but any return value will be used according to the above precedence/associativity rules. Special care is needed if the parentheses after a language construct are omitted. E.g. echo 2 . print 3 + 4; echo's 721: the print part evaluates 3 + 4, prints the outcome 7 and returns 1. After that, 2 is echoed, concatenated with the return value of print (1).

Constants are used to store the values that are not supposed to be changed later. They also are often used to store the configuration parameters especially those which define the environment (dev/production).

Constants have types like variables but not all types can be used to initialize a constant. Objects and resources cannot be used as values for constants at all. Arrays can be used as constants starting from PHP 5.6

Some constant names are reserved by PHP. These include true, false, null as well as many module-specific constants.

Constants are usually named using uppercase letters.

• You need to make sure that every time you process a UTF-8 string, you do so safely. This is, unfortunately, the hard part. You'll probably want to make extensive use of PHP's mbstring extension.

• PHP's built-in string operations are not by default UTF-8 safe. There are some things you can safely do with normal PHP string operations (like concatenation), but for most things you should use the equivalent mbstring function.

"PHPDoc" is a section of documentation which provides information on aspects of a "Structural Element" — PSR-5

PHPDoc annotations are comments that provide metadata about all types of structures in PHP. Many popular IDEs are configured by default to utilize PHPDoc annotations to provide code insights and identify possible problems before they arise.

While PHPDoc annotations are not part of the PHP core, they currently hold draft status with PHP-FIG as PSR-5.

All PHPDoc annotations are contained within DocBlocks that are demonstrated by a multi-line with two asterisks:

/**
 *
 */

The full PHP-FIG standards draft is available on GitHub.

Choosing between GET and POST

GET requests, are best for providing data that's needed to render the page and may be used multiple times (search queries, data filters...). They are a part of the URL, meaning that they can be bookmarked and are often reused.

POST requests on the other hand, are meant for submitting data to the server just once (contact forms, login forms...). Unlike GET, which only accepts ASCII, POST requests also allow binary data, including file uploads.

You can find a more detailed explanation of their differences here.

Request Data Vulnerabilities

Also look at: what are the vulnerabilities in direct use of GET and POST?

Retrieving data from the $_GET and $_POST superglobals without any validation is considered bad practice, and opens up methods for users to potentially access or compromise data through code and or SQL injections. Invalid data should be checked for and rejected as to prevent such attacks.

Request data should be escaped depending on how it is being used in code, as noted here and here. A few different escape functions for common data use cases can be found in this answer.

• Preventing SQL Injection with Parameterized Queries in PDO
• Prepared Statements in mysqli
• Open Web Application Security Project (OWASP)

Features

The mysqli interface has a number of benefits, the key enhancements over the mysql extension being:

• Object-oriented interface
• Support for Prepared Statements
• Support for Multiple Statements
• Support for Transactions
• Enhanced debugging capabilities
• Embedded server support

It features a dual interface: the older, procedural style and a new, object-oriented programming (OOP) style. The deprecated mysql had only a procedural interface, so the object-oriented style is often preferred. However, the new style is also favorable because of the power of OOP.

Alternatives

An alternative to the mysqli interface to access databases is the newer PHP Data Objects (PDO) interface. This features only OOP-style programming and can access more than only MySQL-type databases.

Unit tests are used for testing source code to see if it contains deals with inputs as we expect. Unit tests are supported by the majority of frameworks. There are several different PHPUnit tests and they might differ in syntax. In this example we are using PHPUnit.

Before contributing, however, it is important to understand how PHP versions are managed and released so that bug fixes and feature requests can target the correct PHP version. The developed changes can be submitted as a pull request to the PHP Github repository. Useful information for developers can be found on the "Get Involved" section of the PHP.net site and the #externals forum.

Contributing with Bug Fixes

For those looking to begin contributing to the core, it's generally easier to start with bug fixing. This helps to gain familiarity with PHP's internals before attempting to make more complex modifications to the core that a feature would require.

With respect to the version management process, bug fixes should target the lowest affected, whilst still supported PHP version. It's this version that bug fixing pull requests should target. From there, an internals member can merge the fix into the correct branch and then merge it upwards to later PHP versions as necessary.

For those looking to get started on resolving bugs, a list of bug reports can be found at bugs.php.net.

Contributing with Feature Additions

PHP follows an RFC process when introducing new features and making important changes to the language. RFCs are voted on by members of php.net, and must achieve either a simple majority (50% + 1) or a super majority (2/3 + 1) of the total votes. A super majority is required if the change affects the language itself (such as introducing a new syntax), otherwise only a simple majority is required.

Before RFCs can be put to vote, they must undergo a discussion period of at least 2 weeks on the official PHP mailing list. Once this period has finished, and there are no open issues with the RFC, it can then be moved into voting, which must last at least 1 week.

If a user would like to revive a previously rejected RFC, then they can do so only under one of the following two circumstances:

• 6 months has passed from the previous vote
• The author(s) make substantial enough changes to the RFC that would likely affect the outcome of the vote should the RFC be put to vote again.

The people who have the privilege to vote will either be contributors to PHP itself (and so have php.net accounts), or be representatives of the PHP community. These representatives are chosen by those with php.net accounts, and will either be lead developers of PHP-based projects or regular participants to internals discussions.

When submitting new ideas for proposal, it is almost always required for the proposer to write, at the very least, a proof-of-concept patch. This is because without an implementation, the suggestion simply becomes another feature request that is unlikely to be fulfilled in the near future.

A thorough how-to of this process can be found at the official How To Create an RFC page.

Releases

Major PHP versions have no set release cycle, and so they may be released at the discretion of the internals team (whenever they see fit for a new major release). Minor versions, on the other hand, are released annually.

Prior to every release in PHP (major, minor, or patch), a series of release candidates (RCs) are made available. PHP does not use an RC as other projects do (i.e. if an RC has not problems found with it, then make it as the next final release). Instead, it uses them as a form of final betas, where typically a set number of RCs are decided before the final release is made.

Versioning

PHP generally attempts to follow semantic versioning where possible. As such, backwards compatibility (BC) should be maintained in minor and patch versions of the language. Features and changes that preserve BC should target minor versions (not patch versions). If a feature or change has the potential to break BC, then they should aim to target the next major PHP version (X.y.z) instead.

Each minor PHP version (x.Y.z) has two years of general support (so-called "active support") for all types of bug fixes. An additional year on top of that is added for security support, where only security-related fixes are applied. After the three years is up, support for that version of PHP is dropped completely. A list of currently supported PHP versions can be found at php.net.

The SQLSRV extension requires that the Microsoft SQL Server 2012 Native Client be installed on the same computer that is running PHP. If the Microsoft SQL Server 2012 Native Client is not already installed, click the appropriate link at the "Requirements" documentation page.

To download the latest SQLSRV drivers, go to the following: Download

A full list of system requirements for the SQLSRV Drivers can be found here: System Requirements

Those using SQLSRV 3.1+ must download the Microsoft ODBC Driver 11 for SQL Server

PHP7 users can download the latest drivers from GitHub

Microsoft® ODBC Driver 13 for SQL Server supports Microsoft SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, SQL Server 2014, SQL Server 2016 (Preview), Analytics Platform System, Azure SQL Database and Azure SQL Data Warehouse.

composer require php-ai/php-ml

The github repository for the same can be found here.

Also it is worth noting that the examples given are very small data-set only for the purpose of demonstration. The actual data-set should be more comprehensive than that.

Installation

You can install memcache using pecl

pecl install memcache

or any other resource available via PHP's stream wrappers.

Examples of available stream wrappers (schemes):

• file:// — Accessing local filesystem
• http:// — Accessing HTTP(s) URLs
• ftp:// — Accessing FTP(s) URLs
• php:// — Accessing various I/O streams
• phar:// — PHP Archive
• ssh2:// — Secure Shell 2
• ogg:// — Audio streams

The scheme (origin) is the identifier of the stream's wrapper. For example, for the file system this is file://. The target is the stream's data source, for example the file name.

Comparison of methods to iterate an array

Warning Do not miss to check for exceptions while using lastInsertId(). It can throw the following error:

SQLSTATE IM001 : Driver does not support this function

Here is how you should properly check for exceptions using this method :

// Retrieving the last inserted id
$id = null;

try {
    $id = $pdo->lastInsertId(); // return value is an integer    
}
catch( PDOException $e ) {
    echo $e->getMessage();
}

• echo - Outputs one or more strings
• print - Outputs a string and returns 1 (always)
• printf - Outputs a formatted string and returns the length of the outputted string
• sprintf - Formats a string and returns the formatted string
• print_r - Outputs or returns content of the argument as a human-readable string
• var_dump - Outputs human-readable debugging information about the content of the argument(s) including its type and value
• var_export - Outputs or returns a string rendering of the variable as valid PHP code, which can be used to recreate the value.

Note: When trying to output an object as a string, PHP will try to convert it into a string (by calling __toString() - if the object has such a method). If unavailable, an error similar to Object of class [CLASS] could not be converted to string will be shown. In this case, you'll have to inspect the object further, see: outputting-a-structured-view-of-arrays-and-objects.

• You should always write your code as if comments didn't exist, using well chosen variable and function names.
• Comments are meant to communicate to other human beings, not to repeat what is written in the code.
• Various php commenting style guides exist (e.g. pear, zend, etc). Find out which one your company uses and use it consistently!

This document assumes that docker is installed and the daemon running. You can refer to Docker installation to check on how to install the same.