The Heat Index Of Questions About PHP

PHP (Hypertext Pre-processor) is a popular server-side scripting language mainly used for developing websites and web applications. It can be used to build either static or dynamic websites. It is very simple and easy to learn. So, today we will be checking out the 11 most frequently asked questions about PHP. 11 Most Asked Questions About PHP 1. How to prevent SQL injection in PHP? Answer: Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL. You basically have two options to achieve this: i. Using (for any supported database driver): PDO $stmt = $pdo->prepare( ); $stmt->execute([ => $name ]); foreach ($stmt $row) { } 'SELECT * FROM employees WHERE name = :name' 'name' as // Do something with $row ii. Using (for MySQL): MySQLi $stmt = $dbConnection->prepare( ); $stmt->bind_param( , $name); $stmt->execute(); $result = $stmt->get_result(); ($row = $result->fetch_assoc()) { } 'SELECT * FROM employees WHERE name = ?' 's' // 's' specifies the variable type => 'string' while // Do something with $row If you’re connecting to a database other than MySQL, there is a driver-specific second option that you can refer to (for example, and for PostgreSQL). PDO is the universal option. pg_prepare() pg_execute() Correctly setting up the connection Note that when using to access a MySQL database prepared statements are . To fix this you have to disable the emulation of prepared statements. An example of creating a connection using PDO is: PDO real not used by default $dbConnection = PDO( , , ); $dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, ); $dbConnection->setAttribute(PDO::ATTR_ERRMODE, ::ERRMODE_EXCEPTION); new 'mysql:dbname=dbtest;host=127.0.0.1;charset=utf8' 'user' 'password' false PDO In the above example the error mode isn’t strictly necessary, . This way the script will not stop with a when something goes wrong. And it gives the developer the chance to any error(s) which are as but it is advised to add it Fatal Error catch thrown PDOExceptions. What is , however, is the first line, which tells PDO to disable emulated prepared statements and use prepared statements. This makes sure the statement and the values aren’t parsed by PHP before sending it to the MySQL server (giving a possible attacker no chance to inject malicious SQL). mandatory setAttribute() real Although you can set the in the options of the constructor, it’s important to note that ‘older’ versions of PHP (before 5.3.6) in the DSN. charset silently ignored the charset parameter Explanation The SQL statement you pass to is parsed and compiled by the database server. By specifying parameters (either a or a named parameter like in the example above) you tell the database engine where you want to filter on. Then when you call , the prepared statement is combined with the parameter values you specify. prepare ? :name execute The important thing here is that the parameter values are combined with the compiled statement, not an SQL string. SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters, you limit the risk of ending up with something you didn’t intend. Any parameters you send when using a prepared statement will just be treated as strings (although the database engine may do some optimization so parameters may end up as numbers too, of course). In the example above, if the variable contains the result would simply be a search for the string , and you will not end up with . $name 'Sarah'; DELETE FROM employees "'Sarah'; DELETE FROM employees" an empty table Another benefit of using prepared statements is that if you execute the same statement many times in the same session it will only be parsed and compiled once, giving you some speed gains. Oh, and about how to do it for an insert, here’s an example (using PDO): $preparedStatement = $db->prepare( ); $preparedStatement->execute([ => $unsafeValue ]); 'INSERT INTO table (column) VALUES (:column)' 'column' Can prepared statements be used for dynamic queries? While you can still use prepared statements for the query parameters, the structure of the dynamic query itself cannot be parametrized and certain query features cannot be parametrized. For these specific scenarios, the best thing to do is use a whitelist filter that restricts the possible values. (empty($dir) || $dir !== ) { $dir = ; } // Value whitelist // $dir can only be 'DESC', otherwise it will be 'ASC' if 'DESC' 'ASC' How to check if a string contains a specific word? 2. Answer: You can use the function which is used to find the occurrence of one string inside another one: strpos() $a = ; (strpos($a, ) !== ) { echo ; } 'How are you?' if 'are' false 'true' Note that the use of false is deliberate (neither nor will return the desired result); returns either the offset at which the needle string begins in the haystack string, or the boolean if the needle isn’t found. Since 0 is a valid offset and 0 is “falsey”, we can’t use simpler constructs like . !== != false === true strpos() false !strpos($a, 'are') Alternative Answer: You could use regular expressions, it’s better for word matching compared to strpos as it will also return true for strings such as fare, care, stare, etc. This can simply be avoided in regular expression by using word boundaries. A simple match for are could look something like this: $a = ; (preg_match( , $a)) { echo ; } 'How are you?' if '/\bare\b/' 'true' On the performance side, is about three times faster and have in mind, when we did one million compares at once, it took 1.5 seconds to finish and for it took 0.5 seconds. strpos preg_match strpos In order to search any part of the string, not just word by word, we would recommend using a regular expression like $a = ; $search = ; (preg_match( , $a)) { echo ; } 'How are you?' 'are y' if "/{$search}/i" 'true' The at the end of regular expression changes regular expression to be case-insensitive, if you do not want that, you can leave it out. i Now, this can be quite problematic in some cases as the $search string isn’t sanitized in any way, meaning, it might not pass the check-in some cases as if is a user input they can add some string that might behave like some different regular expression.Also, here’s a great tool for testing and seeing explanations of various regular expressions . $search Regex101 To combine both sets of functionality into a single multi-purpose function (including with selectable case sensitivity), you could use something like this: { (strtoupper($word)== ) { (preg_match( , $haystack)) { ; } } { (preg_match( , $haystack)) { ; } } ; } ( ) function FindString $needle,$haystack,$i,$word // $i should be "" or "i" for case insensitive if "W" // if $word is "W" then word search instead of string in string search. if "/\b{$needle}\b/{$i}" return true else if "/{$needle}/{$i}" return true return false // Put quotes around true and false above to return them as strings instead of as bools/ints. 3. Why not to use mysql_* functions in PHP? Answer: The MySQL extension: 1. Is not under active development 2. Is as of PHP 5.5 (released June 2013). officially deprecated 3. Has been as of PHP 7.0 (released December 2015) removed entirely This means that as of it does not exist in any supported version of PHP. If you are using a version of PHP which supports it, you are using a version that doesn’t get security problems fixed. 31 Dec 2018 4. Lacks an OO interface 5. Doesn’t support: Non-blocking, asynchronous queries Prepared statements or parameterized queries Stored procedures Multiple Statements Transactions The “new” password authentication method (on by default in MySQL 5.6; required in 5.7) Any of the new functionality in MySQL 5.1 or later Since it is deprecated, using it makes your code less future proof. Lack of support for prepared statements is particularly important as they provide a clearer, less error-prone method of escaping and quoting external data than manually escaping it with a separate function call. See . the comparison of SQL extensions 4. How to delete an element from an array in PHP? Answer: There are different ways to delete an array element, where some are more useful for some specific tasks than others. Delete one array element If you want to delete just one array element you can use or alternatively . Also if you have the value and don’t know the key to delete the element you can use to get the key. unset() \array_splice() \array_search() i. unset() Note that when you use the array keys won’t change/reindex. If you want to reindex the keys you can use after which will convert all keys to numerical enumerated keys starting from 0. unset() \array_values() unset() Code $array = [ => , => , => ]; ($array[ ]); Output [ [ ] => a [ ] => c ] 0 2 ii. \array_splice() method If you use the keys will be automatically reindexed, but the associative keys won’t change as opposed to which will convert all keys to numerical keys.Also needs the offset, not the key! as the second parameter. \array_splice() \array_values() \array_splice() Code , => , => ]; \array_splice($array, , ); ?> 0 "a" 1 "b" 2 "c" 1 1 //↑ Offset which you want to delete Output [ [ ] => a [ ] => c ] 0 1 same as take the array by reference, and this means you don’t want to assign the return values of those functions back to the array. array_splice() unset() Delete multiple array elements If you want to delete multiple array elements and don’t want to call or multiple times you can use the functions or depending on if you know the values or the keys of the elements which you want to delete. unset() \array_splice() \array_diff() \array_diff_key() i. \array_diff() method If you know the values of the array elements which you want to delete, then you can use . As before with it won’t change/reindex the keys of the array. \array_diff() unset() Code $array = [ => , => , => ]; $array = \array_diff($array, [ , ]); Output [ [ ] => b ] 1 ii. \array_diff_key() method If you know the keys of the elements which you want to delete, then you want to use . Here you have to make sure you pass the keys as keys in the second parameter and not as values. Otherwise, you have to flip the array with . And also here the keys won’t change/reindex. \array_diff_key() \array_flip() Code $array = [ => , => , => ]; $array = \array_diff_key($array, [ => , => ]); Output [ [ ] => b ] 1 Also if you want to use or to delete multiple elements with the same value you can use to get all the keys for a specific value and then delete all elements. unset() \array_splice() \array_keys() 5. Is there any way to use PHP and cURL to get the associated thumbnail from the YouTube API? Answer: Each YouTube video has four generated images. They are predictably formatted as follows: https: https: https: https: //img.youtube.com/vi/ /0.jpg //img.youtube.com/vi/ /1.jpg //img.youtube.com/vi/ /2.jpg //img.youtube.com/vi/ /3.jpg The first one in the list is a full-size image and others are thumbnail images. The default thumbnail image (i.e., one of , , ) is: 1.jpg 2.jpg 3.jpg https: //img.youtube.com/vi/ /default.jpg For the high-quality version of the thumbnail use a URL similar to this: https: //img.youtube.com/vi/ /hqdefault.jpg There is also a medium quality version of the thumbnail, using a URL similar to the HQ: https: //img.youtube.com/vi/ /mqdefault.jpg For the standard definition version of the thumbnail, use a URL similar to this: https: //img.youtube.com/vi/ /mqdefault.jpg For the maximum resolution version of the thumbnail use a URL similar to this: https: //img.youtube.com/vi/ /maxresdefault.jpg All of the above URLs are available over HTTP too. Additionally, the slightly shorter hostname works in place of in the example URLs above. i3.ytimg.com img.youtube.com Alternatively, you can use the to get thumbnail images. YouTube Data API (v3) Alternative Answer: You can use to retrieve video thumbnails, caption, description, rating, statistics, and more. API version 3 requires a key*. Obtain the key and create a request: YouTube Data API videos: list https: //www.googleapis.com/youtube/v3/videos?key=YOUR_API_KEY&part=snippet&id=VIDEO_ID Example PHP Code $data = file_get_contents( ); $json = json_decode($data); var_dump($json->items[ ]->snippet->thumbnails); "https://www.googleapis.com/youtube/v3/videos?key=YOUR_API_KEY&part=snippet&id=T0Jqdjbed40" 0 Output object(stdClass)# ( ) { [ ]=> object(stdClass)# ( ) { [ ]=> string( ) [ ]=> int( ) [ ]=> int( ) } [ ]=> object(stdClass)# ( ) { [ ]=> string( ) [ ]=> int( ) [ ]=> int( ) } [ ]=> object(stdClass)# ( ) { [ ]=> string( ) [ ]=> int( ) [ ]=> int( ) } [ ]=> object(stdClass)# ( ) { [ ]=> string( ) [ ]=> int( ) [ ]=> int( ) } [ ]=> object(stdClass)# ( ) { [ ]=> string( ) [ ]=> int( ) [ ]=> int( ) } } 5 5 "default" 6 3 "url" 46 "https://i.ytimg.com/vi/T0Jqdjbed40/default.jpg" "width" 120 "height" 90 "medium" 7 3 "url" 48 "https://i.ytimg.com/vi/T0Jqdjbed40/mqdefault.jpg" "width" 320 "height" 180 "high" 8 3 "url" 48 "https://i.ytimg.com/vi/T0Jqdjbed40/hqdefault.jpg" "width" 480 "height" 360 "standard" 9 3 "url" 48 "https://i.ytimg.com/vi/T0Jqdjbed40/sddefault.jpg" "width" 640 "height" 480 "maxres" 10 3 "url" 52 "https://i.ytimg.com/vi/T0Jqdjbed40/maxresdefault.jpg" "width" 1280 "height" 720 Not only that you need a key, you might be asked for billing information depending on the number of API requests you plan to make. However, a few million requests per day are free. . Source article 6. When to use self over $this? Answer: Use to refer to the current object. Use to refer to the current class. In other words, use for non-static members, use for static members. $this self $this->member self::$member Here is an example of usage of and for non-static and static member variables: correct $this self non_static_member . . self::$static_member; } } X(); ?> class X 1 static 2 ( ) function __construct this ' ' new Here is an example of usage of and for non-static and static member variables: incorrect $this self static_member; } } X(); ?> class X 1 static 2 ( ) function __construct ' ' this new Here is an example of with for member functions: polymorphism $this foo(); } } { { echo ; } } $x = Y(); $x->bar(); ?> class X ( ) function foo 'X::foo()' ( ) function bar this class Y extends X ( ) function foo 'Y::foo()' new Here is an example of by using for member functions: suppressing polymorphic behavior self bar(); ?> class X ( ) function foo 'X::foo()' ( ) function bar class Y extends X ( ) function foo 'Y::foo()' new The idea is that calls the member function of whatever is the exact type of the current object. If the object is of , it thus calls . If the object is of , it calls . But with , is always called. $this->foo() foo() type X X::foo() type Y Y::foo() self::foo() X::foo() From : http://www.phpbuilder.com/board/showthread.php?t=10354489 By http://board.phpbuilder.com/member.php?145249-laserlight Alternative Answer: The keyword self does refer merely to the ‘current class’, at least not in a way that restricts you to static members. Within the context of a non-static member, also provides a way of bypassing the vtable ( ) for the current object. Just as you can use to call the parents version of a function, so you can call to call the current classes implementation of a method. NOT self see wiki on vtable parent::methodName() self::methodName() { private $name; public { $ ->name = $name; } public { $ ->name; } public { $ ->getName(). ; } public { echo .$ ->getTitle(). ; } public { echo .self::getTitle(). ; } } { public { parent::__construct($name); } public { $ ->getName(). ; } } $geekObj = Geek( ); $geekObj->sayHello(); $geekObj->sayGoodbye(); class Person ( ) function __construct $name this ( ) function getName return this ( ) function getTitle return this " the person" ( ) function sayHello "Hello, I'm " this " " ( ) function sayGoodbye "Goodbye from " " " class Geek extends Person ( ) function __construct $name ( ) function getTitle return this " the geek" new "Ludwig" This will output: Hello, I’m Ludwig the geek Goodbye from Ludwig the person uses the pointer, so the vtable is invoked to call . uses , so the vtable is not used and is called. In both cases, we are dealing with the method of an instantiated object, and have access to the pointer within the called functions. sayHello() $this Geek::getTitle() sayGoodbye() self::getTitle() Person::getTitle() $this 7. How to get PHP errors to display? Answer: You can do as following: ini_set( , ); ini_set( , ); error_reporting(E_ALL); 'display_errors' '1' 'display_startup_errors' '1' However, this doesn’t make PHP to show parse errors – the only way to show those errors is to modify your php.ini with this line: display_errors = on (if you don’t have access to , then putting this line in might work too): php.ini .htaccess php_flag display_errors 1 8. How to write two functions that would take a string and return if it starts with the specified character/string or ends with it? Answer: You can do as given below: { $length = strlen($needle); (substr($haystack, , $length) === $needle); } { $length = strlen($needle); ($length == ) { ; } (substr($haystack, -$length) === $needle); } ( ) function startsWith $haystack, $needle return 0 ( ) function endsWith $haystack, $needle if 0 return true return Use this if you don’t want to use a regex. Alternative Answer: You can use function to check start-with and ends-with: substr_compare { substr_compare($haystack, $needle, , strlen($needle)) === ; } { substr_compare($haystack, $needle, -strlen($needle)) === ; } ( ) function startsWith $haystack, $needle return 0 0 ( ) function endsWith $haystack, $needle return 0 9. How to make a redirect in PHP? Answer: i. Basic answer You can use the function to send a new HTTP header, but this must be sent to the browser before any HTML or text (so before the declaration, for example). header() header( .$newURL); 'Location: ' or ii. Important details die() exit() header( ); die(); "Location: http://example.com/myOtherPage.php" Why you should use or : die() exit() The Daily WTF Absolute or relative URL Since June 2014 both absolute and relative URLs can be used. See which had replaced the old , where only absolute URLs were allowed. RFC 7231 RFC 2616 Status Codes PHP’s “Location”-header still uses the -redirect code, but this is not the one you should use. You should consider either (permanent redirect) or (other). HTTP 302 301 303 Note: that the 303-header is incompatible with “many pre-HTTP/1.1 user agents. Currently used browsers are all HTTP/1.1 user agents. This is not true for many other user agents like spiders and robots. W3C mentions iii. Documentation HTTP Headers and the function in PHP header() What the PHP manual says What Wikipedia says What the W3C says iv. Alternatives You may use the alternative method of which needs the PECL package pecl to be installed. http_redirect($url); v. Helper Functions This function doesn’t incorporate the 303 status code: { header( . $url, , $permanent ? : ); exit(); } Redirect( , ); ( ) function Redirect $url, $permanent = false 'Location: ' true 301 302 'http://example.com/' false This is more flexible: { header( . $url, , $statusCode); die(); } ( ) function redirect $url, $statusCode = 303 'Location: ' true vi. Workaround As mentioned, redirects only work before anything is written out. They usually fail if output. Then you might use an HTML header workaround (not very professional!) like: header() invoked inmidst HTML "refresh" "0;url=finalpage.html" Or a JavaScript redirect even. .location.replace( ); window "http://example.com/" Alternative Answer: Use the to send an : function header() HTTP header Location header( .$newURL); 'Location: ' Contrary to what some think, has nothing to do with redirection. Use it if you want to redirect of normal execution. File : die() only instead example.php 'Location: static.html' '/tmp/track.txt' 'a' 'REMOTE_ADDR' ' ' 'c' "\n" Result of three executions: bart@hal9k:~> cat /tmp/track.txt T09: : + : T09: : + : T09: : + : 127.0 .0 .1 2009 -04 -21 50 02 02 00 127.0 .0 .1 2009 -04 -21 50 05 02 00 127.0 .0 .1 2009 -04 -21 50 08 02 00 Resuming — obligatory is some urban legend that has nothing to do with actual PHP. It has nothing to do with the client “respecting” the header. Sending a header does not stop PHP execution, regardless of the client used. die()/exit() Location: 10. How do you use bcrypt for hashing passwords in PHP? Answer: is a hashing algorithm that is scalable with hardware (via a configurable number of rounds). Its slowness and multiple rounds ensure that an attacker must deploy massive funds and hardware to be able to crack your passwords. Add to that per-password ( REQUIRES salts) and you can be sure that an attack is virtually unfeasible without either ludicrous amount of funds or hardware. bcrypt salts bcrypt uses the algorithm to hash passwords. While the encryption phase of and are exactly the same, the key schedule phase of ensures that any subsequent state depends on both salt and key (user password), and no state can be precomputed without the knowledge of both. You cannot retrieve the plain text password without already knowing the salt, rounds, (password). [ ] bcrypt Eksblowfish Eksblowfish Blowfish Eksblowfish Because of this key difference, bcrypt is a one-way hashing algorithm. and key Source How to use bcrypt: Using PHP >= 5.5-DEV Password hashing functions . You may now use to create a hash of any password: have now been built directly into PHP >= 5.5 password_hash() bcrypt ]; echo password_hash( , PASSWORD_BCRYPT, $options). ; // Usage 1: 'rasmuslerdorf' "\n" // $2y$10$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx // For example: // $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a // Usage 2: 'cost' 11 'rasmuslerdorf' "\n" // $2y$11$6DP.V0nO7YI3iSki4qog6OQI5eiO6Jnjsqg7vdnb.JgGIsxniOn4C To verify a user-provided password against an existing hash, you may use the as such: password_verify() = 5.3.7, = 5.3.3) There is a on created based on the source code of the above functions originally written in C, which provides the same functionality. Once the compatibility library is installed, usage is the same as above (minus the shorthand array notation if you are still on the 5.3.x branch). compatibility library GitHub Using PHP < 5.3.7 (DEPRECATED) You can use function to generate bcrypt hashes of input strings. This class can automatically generate salts and verify existing hashes against an input. . This alternative is provided only for historical purposes. crypt() If you are using a version of PHP higher or equal to 5.3.7, it is highly recommended you use the built-in function or the compat library { private $rounds; public { (CRYPT_BLOWFISH != ) { Exception( ); } $ ->rounds = $rounds; } public { $hash = crypt($input, $ ->getSalt()); (strlen($hash) > ) $hash; ; } public { $hash = crypt($input, $existingHash); $hash === $existingHash; } private { $salt = sprintf( , $ ->rounds); $bytes = $ ->getRandomBytes( ); $salt .= $ ->encodeBytes($bytes); $salt; } private $randomState; private { $bytes = ; (function_exists( ) && (strtoupper(substr(PHP_OS, , )) !== )) { $bytes = openssl_random_pseudo_bytes($count); } ($bytes === && is_readable( ) && ($hRand = @fopen( , )) !== FALSE) { $bytes = fread($hRand, $count); fclose($hRand); } (strlen($bytes) randomState === ) { $ ->randomState = microtime(); (function_exists( )) { $ ->randomState .= getmypid(); } } ($i = ; $i randomState = md5(microtime() . $ ->randomState); (PHP_VERSION >= ) { $bytes .= md5($ ->randomState, ); } { $bytes .= pack( , md5($ ->randomState)); } } $bytes = substr($bytes, , $count); } $bytes; } private { $itoa64 = ; $output = ; $i = ; { $c1 = ord($input[$i++]); $output .= $itoa64[$c1 >> ]; $c1 = ($c1 & ) = ) { $output .= $itoa64[$c1]; ; } $c2 = ord($input[$i++]); $c1 |= $c2 >> ; $output .= $itoa64[$c1]; $c1 = ($c2 & ) > ; $output .= $itoa64[$c1]; $output .= $itoa64[$c2 & ]; } ( ); $output; } } class Bcrypt ( ) function __construct $rounds = 12 if 1 throw new "bcrypt not supported in this installation. See http://php.net/crypt" this ( ) function hash $input this if 13 return return false ( ) function verify $input, $existingHash return ( ) function getSalt '$2a$%02d$' this this 16 this return ( ) function getRandomBytes $count '' if 'openssl_random_pseudo_bytes' 0 3 'WIN' // OpenSSL is slow on Windows if '' '/dev/urandom' '/dev/urandom' 'rb' if '' if this null this if 'getmypid' this for 0 16 this this if '5' this true else 'H*' this 0 return ( ) function encodeBytes $input // The following is code from the PHP Password Hashing Framework './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' '' 0 do 2 0x03 4 if 16 break 4 0x0f 2 6 0x3f while true return You can use this code like this: $bcrypt = Bcrypt( ); $hash = $bcrypt->hash( ); $isGood = $bcrypt->verify( , $hash); new 15 'password' 'password' Alternatively, you may also use the . Portable PHP Hashing Framework 11. How to use PHP to get the current year? Answer: You can use either or . In this case, it doesn’t matter as a year is a year, no matter what (unless there’s a locale that formats the year differently?) For example: date strftime "Y" On a side note when formatting dates in PHP it matters when you want to format your date in a different locale than your default. If so, you have to use setlocale and strftime. According to the on date: php manual To format dates in other languages, you should use the setlocale() and strftime() functions instead of date(). From this point of view, it would be best to use strftime as much as possible, if you even have a remote possibility of having to localize your application. If that’s not an issue, pick the one you like best. In Conclusion These are the 11 most commonly asked questions about PHP. If you have any suggestions or any confusion, please comment below. If you need any help, we will be glad to help you. This post was first published on DevPost by Truemark .