Chapter 2: Introducing PHP
Now that you have your virtual server up and running, it’s time to write your first PHP script. PHP is a server-side language. This concept may be a little difficult to grasp, especially if you’ve only ever designed websites using client-side languages like HTML, CSS, and JavaScript.
A server-side language is similar to JavaScript in that it allows you to embed little programs (scripts) into the HTML code of a web page. When executed, these programs give you greater control over what appears in the browser window than HTML alone can provide. The key difference between JavaScript and PHP is the stage of loading the web page at which these embedded programs are executed.
Client-side languages like JavaScript are read and executed by the web browser after downloading the web page (embedded programs and all) from the web server. In contrast, server-side languages like PHP are run by the web server, before sending the web page to the browser. Whereas client-side languages give you control over how a page behaves once it’s displayed by the browser, server-side languages let you generate customized pages on the fly before they’re even sent to the browser.
Once the web server has executed the PHP code embedded in a web page, the result takes the place of the PHP code in the page. All the browser sees is standard HTML code when it receives the page, hence the name “server-side language.” Let’s look at simple example of some PHP that generates a random number between 1 and 10 and then displays it on the screen:
PHP-RandomNumber
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Random Number</title>
</head>
<body>
<p>Generating a random number between 1 and 10:
<?php
echo rand(1, 10);
?>
</p>
</body>
</html>
Most of this is plain HTML. Only the line between <?php and ?> is PHP code. <?php marks the start of an embedded PHP script and ?> marks its end. The web server is asked to interpret everything between these two delimiters and convert it to regular HTML code before it sends the web page to the requesting browser. If you right-click inside your browser and choose View Source (the text may be different depending on the browser you’re using) you can see that the browser is presented with the following:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Random Number</title>
</head>
<body>
<p>Generating a random number between 1 and 10:
5
</p>
</body>
</html>
Notice that all signs of the PHP code have disappeared. In its place the output of the script has appeared, and it looks just like standard HTML. This example demonstrates several advantages of server-side scripting …
- No browser compatibility issues. PHP scripts are interpreted by the web server alone, so there’s no need to worry about whether the language features you’re using are supported by the visitor’s browser.
- Access to server-side resources. In the example above, we placed a random number generated by the web server into the web page. If we had inserted the number using JavaScript, the number would be generated in the browser and someone could potentially amend the code to insert a specific number. Granted, there are more impressive examples of the exploitation of server-side resources, such as inserting content pulled out of a MySQL database.
- Reduced load on the client. JavaScript can delay the display of a web page significantly (especially on mobile devices!) as the browser must run the script before it can display the web page. With server-side code, this burden is passed to the web server, which you can make as beefy as your application requires (and your wallet can afford).
- Choice. When writing code that’s run in the browser, the browser has to understand how to run the code given to it. All modern browsers understand HTML, CSS and JavaScript. To write some code that’s run in the browser, you must use one of these languages. By running code on the server that generates HTML, you have a choice of many languages—one of which is PHP.
Basic Syntax and Statements
PHP syntax will be very familiar to anyone with an understanding of JavaScript, C, C++, C#, Objective-C, Java, Perl, or any other C-derived language. But if these languages are unfamiliar to you, or if you’re new to programming in general, there’s no need to worry about it.
A PHP script consists of a series of commands, or statements. Each statement is an instruction that must be followed by the web server before it can proceed to the next instruction. PHP statements, like those in the aforementioned languages, are always terminated by a semicolon (;).
This is a typical PHP statement:
echo 'This is a <strong>test</strong>!';
This is an echo statement, which is used to generate content (usually HTML code) to send to the browser. An echo statement simply takes the text it’s given and inserts it into the page’s HTML code at the position of the PHP script where it was contained.
In this case, we’ve supplied a string of text to be output: This is a <strong>test</strong>!. Notice that the string of text contains HTML tags (<strong> and </strong>), which is perfectly acceptable.
So, if we take this statement and put it into a complete web page, here’s the resulting code:
PHP-Echo
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Test page</title>
</head>
<body>
<p><?php echo 'This is a <strong>test</strong>!'; ?></p>
</body>
</html>
If you place this file on your web server and then request it using a web browser, your browser will receive this HTML code:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Test page</title>
</head>
<body>
<p>This is a <strong>test</strong>!</p>
</body>
</html>
The random.php example we looked at earlier contained a slightly more complex echo statement:
echo rand(1, 10);
You’ll notice that, in the first example, PHP is given some text to print directly, and in the second, PHP is given an instruction to follow. PHP tries to read anything that exists outside quotes as an instruction it must follow. Anything inside quotes is treated as a string, which means PHP doesn’t process it at all but just passes it to the command you called. So the following code will pass the string This is a <strong>test</strong>! directly to the echo command:
echo 'This is a <strong>test</strong>!';
A string is signified using a start quote and an end quote. PHP will see the first ' as the start of the string and find the next ' and use that as the end of the string.
In contrast, the following code will first run the built-in function rand to generate a random number and then pass the result to the echo command:
echo rand(1, 10);
You can think of built-in functions as tasks that PHP knows how to do without you needing to spell out the details. PHP has many built-in functions that let you do everything, from sending email to working with information stored in various types of databases.
PHP won’t try to run anything that’s inside a string. The following code won’t have the result you may be expecting:
echo 'rand(1, 10)';
Instead of running the inbuilt function rand, PHP will see it as a string, and rather than printing out a random number, it will actually send the text rand(1, 10) to the browser, which probably isn’t what you wanted to do. It’s important to understand the difference between a string and code. PHP will see any text outside quotes as a series of commands it should follow. Anything inside quotes is a string and is data that PHP will work with.
PHP doesn’t try to understand strings. They can contain any characters in any order. But code—which is essentially a series of instructions—must follow a rigid structure for a computer to understand it.
Syntax Highlighting
Using an editor with syntax highlighting makes it easy to quickly see if something is a string or code. Strings will be shown in a different color from code that needs to be processed.
Quotes
PHP supports both single quotes ' and double quotes " to encase strings. For most purposes, they’re interchangeable. PHP developers tend to favor single quotes, because we deal with HTML code a lot, which tends to contain a lot of double quotes. For example:
echo '<a href="http://www.sitepoint.com">Click here</a>';
If double quotes were used here, we’d need to tell PHP that the quote after href= is not the end of the string by placing a before it (known as an escape character) and do the same with any quotes we actually want to send to the browser as part of the HTML:
echo "<a href="http://www.sitepoint.com">Click here</a>";
For this reason, PHP developers use single quotes, although there are some differences between the two quotes. For our purposes, they are effectively interchangeable.
When you invoke a function in PHP—that is, ask it to do its job—you’re said to be calling that function. Most functions return a value when they’re called; PHP then behaves as if you’d actually just typed that returned value in your code instead. In the echo 'rand(1, 10)'; example, our echo statement contains a call to the rand function, which returns a random number as a string of text. The echo statement then outputs the value returned by the function call.
Every function in PHP can have one or more arguments that allow you to make the function behave in a slightly different way. The rand function takes two arguments: the minimum random number and the maximum. By changing the values that are passed to the function, you’re able to change the way it works. For example, if you wanted a random number between 1 and 50, you could use the code:
echo rand(1, 50);
You may wonder why we need to surround the arguments with parentheses ((1, 50)). The parentheses serve two purposes. First, they indicate that rand is a function that you want to call. Second, they mark the beginning and end of a list of arguments—PHP statements that you wish to provide—in order to tell the function what you want it to do. In the case of the rand function, you need to provide a minimum and a maximum value. Those values are separated by a comma.
Later on, we’ll look at functions that take different kinds of arguments. We’ll also consider functions that take no arguments at all. These functions will still need the parentheses, even though there will be nothing to type between them.
Variables, Operators, and Comments
Variables
Variables in PHP are identical to variables in most other programming languages. For the uninitiated, a variable can be thought of as a name given to an imaginary box into which any value may be placed. The following statement creates a variable called $testVariable (all variable names in PHP begin with a dollar sign) and assigns it a value of 3:
$testVariable = 3;
PHP is a loosely typed language. This means that a single variable may contain any type of data—be it a number, a string of text, or some other kind of value—and may store different types of values over its lifetime. The following statement—if you were to type it after the aforementioned statement—assigns a new value to the existing $testVariable. Where it used to contain a number, it now contains a string of text:
$testVariable = 'Three';
Operators
The equals sign we used in the last two statements is called the assignment operator, as it’s used to assign values to variables. Other operators may be used to perform various mathematical operations on values:
$testVariable = 1 + 1; // assigns a value of 2
$testVariable = 1 - 1; // assigns a value of 0
$testVariable = 2 * 2; // assigns a value of 4
$testVariable = 2 / 2; // assigns a value of 1
From these examples,
you can probably tell that + is the addition operator, - is the subtraction operator, * is the multiplication operator and / is the division operator. These are all called arithmetic operators, because they perform arithmetic on numbers.
Comments
Each of the arithmetic lines above ends with a comment. Comments enable you to describe what your code is doing. They insert explanatory text into your code—text that the PHP interpreter will ignore. Comments begin with // and they finish at the end of the same line. If you want a comment to span several lines, start it with /*, and end it with */. The PHP interpreter will ignore everything between these two delimiters. I’ll be using comments throughout the rest of this book to help explain some of the code I present.
Returning to the operators, one that sticks strings of text together is called the string concatenation operator:
$testVariable = 'Hi ' . 'there!'; // Assigns a value of 'Hi there!'
Variables may be used almost anywhere that you use a value. Consider this series of statements:
$var1 = 'PHP'; // assigns a value of 'PHP' to $var1
$var2 = 5; // assigns a value of 5 to $var2
$var3 = $var2 + 1; // assigns a value of 6 to $var3
$var2 = $var1; // assigns a value of 'PHP' to $var2
$var4 = rand(1, 12); // assigns a value to $var4 using the rand() function
echo $var1; // outputs 'PHP'
echo $var2; // outputs 'PHP'
echo $var3; // outputs '6'
echo $var4; // outputs the random number generated above
echo $var1 . ' rules!'; // outputs 'PHP rules!'
echo '$var1 rules!'; // outputs '$var1 rules!'
echo "$var1 rules!" // outputs 'PHP rules!'
Note the last two lines in particular: if you place a variable inside single quotes, it will print the name rather than the contents of the variable. In contrast, when using double quotes, the variable in the string is replaced with the variable’s contents.
Placing variables inside double quotes works in simple situations, but for most of this book it won’t be usable, as we won’t be using such simple code. So it’s a good idea to get used to the practice of concatenation (shown in the third from last line).
Control Structures
The examples of PHP code we’ve seen so far have been either one-statement scripts that output a string of text to the web page, or a series of statements that were to be executed one after the other in order. If you’ve ever written programs in other languages (such as JavaScript, Objective-C, Ruby, or Python), you already know that practical programs are rarely so simple.
PHP, just like any other programming language, provides facilities that enable you to affect the flow of control. That is, the language contains special statements that you can use to deviate from the one-after-another execution order that has dominated our examples so far. Such statements are called control structures. Don’t understand? Don’t worry! A few examples will illustrate it perfectly.
If Statements
The most basic, and most often used, control structure is the if statement. The flow of a program through an if statement can be visualized like this:
The logical flow of an if statement
Here’s what an if statement looks like in PHP code:
if (condition) {
⋮ conditional code to be executed if condition is true
}
This control structure lets us tell PHP to execute a set of statements only if some condition is met.
For example, we might want to create a game that mimics a dice roll and in which you have to roll a six to win. The dice roll can be modeled using the rand() function we used earlier and setting the minimum and maximum from 1 to 6:
$roll = rand(1, 6);
echo 'You rolled a ' . $roll;
To print out a message if the player rolls a six and wins, you can use an if statement:
PHP-DiceRoll
$roll = rand(1, 6);
echo 'You rolled a ' . $roll;
if ($roll == 6) {
echo 'You win!';
}
The == used in the condition above is the equals operator, which is used to compare two values to see whether they’re equal. A single equals = is used for assignment and cannot be used for comparison.
The if statement uses braces { and } to surround the code you want to run when the condition is met. You can place as many lines of code as you like between the braces and the code will only be run when the condition is met. Any code placed after the closing brace (}) will be run all the time:
$roll = rand(1, 6);
echo 'You rolled a ' . $roll;
if ($roll == 6) {
echo 'You win!'; // This line will only be printed if they rolled a 6
}
echo 'Thanks for playing'; // This line will always be printed
Use the Double-Equals
Remember to type the double-equals (==). A common mistake among beginning PHP programmers is to type a condition like this with a single equals sign:
if ($roll = 6) // Missing equals sign!
This condition is using the assignment operator (=) instead of the equal operator (==). Consequently, instead of comparing the value of $roll to the number 6, it will actually set the value of $roll to 6. Oops!
To make matters worse, the if statement will use this assignment operation as a condition, which it will consider to be true, so the conditional code within the if statement will always be executed, regardless of what the original value of $roll happened to be.
If you run diceroll.php, you’ll see the random number being generated, and if you run it until you win, you’ll see this in the browser:
You rolled a 6You win!Thanks for playing
This isn’t very pretty, but because PHP outputs HTML you can add some paragraph tags in order to format the output:
example.css
$roll = rand(1, 6);
echo '<p>You rolled a ' . $roll . '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
echo '<p>Thanks for playing</p>';
If you run the updated diceroll-html.php page, you’ll see that it now prints this in the browser:
You rolled a 6
You win!
Thanks for playing
This is much more user friendly. To make the game itself more user friendly, you might want to display a different message to people who didn’t roll a 6 and didn’t win. This can be done with an else statement. The else statement must follow an if, and will be run if the condition is not met:
PHP-DiceRoll-Else
$roll = rand(1, 6);
echo '<p>You rolled a ' . $roll . '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck next time!</p>';
}
echo '<p>Thanks for playing</p>';
Escaping the Quote
Because the word didn't contains a single quote, it needs to be escaped. By preceding the single quote with a backslash (), it tells PHP not to treat the ' in didn't as the end of the string.
With an else statement one (and only one!) of the two blocks of code is guaranteed to run. Either the code in the if block will run if the condition is met, or the code in the else block will run if it isn’t.
Conditions can be more complex than a single check for equality. An if statement can contain more than one condition. For example, imagine if the game was adjusted so that both 5 and 6 were winning numbers. The if statement could be changed to the following:
PHP-DiceRoll-Or
if ($roll == 6 || $roll == 5) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck next time!</p>';
}
The double pipe (||) operator means “or”. The condition above is now met if either expression evaluates to true. This can be read as “If they rolled a 6 or they rolled a 5”.
However, this can be expressed in an even better way. if statements aren’t limited to using the equals (==) operator. They can also utilize the mathematical greater than (>) and less than (<) operators. The if statement above could also be done with a single expression:
PHP-DiceRoll-Greater
if ($roll > 4) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck next time!</p>';
}
$roll > 4 will evaluate to true if the value stored in the $roll variable is greater than 4, allowing us to have 5 and 6 as winning numbers with a single condition. If we wanted 4, 5 and 6 as winning numbers, the condition could be changed to $roll > 3.
Like the or expression (||), there’s another expression called and that’s is only met when both conditions evaluate to true. We could expand the game to include two dice and require players to roll two sixes to win:
PHP-DiceRoll-TwoDice
$roll1 = rand(1, 6);
$roll2 = rand(1, 6);
echo '<p>You rolled a ' . $roll1 . ' and a ' . $roll2
. '</p>';
if ($roll1 == 6 && $roll2 == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck next
time!</p>';
}
echo '<p>Thanks for playing</p>';
The expression if ($roll1 == 6 && $roll2 == 6) will only evaluate to true if $roll1 == 6 is true and $roll2 == 6. This means that the player has to roll a 6 on both dice to win the game. If we changed the and (&&) to an or (||)—that is, if ($roll1 == 6 || $roll2 == 6)—the player would win if they rolled a 6 on either dice.
We’ll look at more complicated conditions as the need arises. For the time being, a general familiarity with if … else statements is sufficient.
or and and
PHP also allows the use of the or in place of || and and in place of &&. For example:
if ($roll == 6 or $roll == 5) { … }
There are some minor differences between the way or and || work that can lead to unexpected behavior. Generally speaking, avoiding the “spelled out” operators and sticking to the double pipe (||) and double ampersand (&&) will help prevent confusing bugs.
Loops
Another type of control structure that’s very useful is a loop. Loops allow repeating the same lines of code over and over. Two important kind of loops are for loops and while loops. Let’s look at how they work.
For Loops
The for loop is used when you know up front how many times you need to run the same code. The image below shows the flow of a for loop:
The logical flow of a for loop
Here’s what it looks like in code:
for (declare counter; condition; increment counter) {
⋮ statement(s) to execute repeatedly as long as condition is true
}
The declare counterdeclare counter statement is executed once at the start of the loop. The condition statement is checked each time through the loop before the statements in the body are executed. The increment counter statement is executed each time through the loop after the statements in the body.
To count to 10 using a for loop, you can use the following code:
for ($count = 1; $count <= 10; $count++) {
echo $count . ' ';
}
This looks quite scary, as there’s a lot going on, but let me break it down for you:
$count = 1;: this sets the counters initial value to1.$count <= 10;: this is the condition. It can be read of as “keep looping while $count is less than or equal to 10”.$count++: this says “add 1 to the counter each time”. It’s identical to$count = $count + 1.echo $count . ' ';: this prints the value of the counter followed by a space.
The condition in this example uses the operator <=. This acts similarly to the < less than operator, but evaluates to true if the number being compared is less than or equal to the second. Other available operators include >= (greater than or equal) and != (not equal).
As you can see, the statements that initialize and increment the $count variable are placed with the condition on the first line of the for loop. Although, at first glance, the code seems a little more difficult to read, putting all the code that deals with controlling the loop in the same place actually makes it easier to understand once you’re used to the syntax. Many of the examples in this book will use for loops, so you’ll have plenty of opportunities to practice reading them.
You can change each part of the for loop to have different results. For example, here’s how to add 3 each time you can change the for loop:
PHP-For
for ($count = 1; $count <= 10; $count = $count + 3) {
echo $count . ' ';
}
This will result in the following:
1 4 7 10
for loops can be combined with other statements such as if statements to perform specific tasks on each iteration. For example, rather than refreshing the page on our dice game each time, we might want to roll the dice 10 times and print the results:
PHP-DiceRoll-ManyDice
for ($count = 1; $count <= 10; $count++) {
$roll = rand(1, 6);
echo '<p>You rolled a ' . $roll . '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better
luck next time!</p>';
}
}
echo '<p>Thanks for playing</p>';
This lets us roll the dice 10 times without needing to refresh the page each time. Using a loop is functionally identical to copy/pasting the code 10 times, and will produce the exact same outcome as the following:
$roll = rand(1, 6);
echo '<p>You rolled a ' . $roll . '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck
next time!</p>';
}
$roll = rand(1, 6);
echo '<p>You rolled a ' . $roll . '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck next
time!</p>';
}
$roll = rand(1, 6);
echo '<p>You rolled a ' . $roll . '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck next time!</p>';
}
// and so on …
The computer doesn’t care which method you use, whether you copy/paste or use a loop. It will just run the code. However, as a developer, you’ll quickly realize that a loop is the better choice. If you wanted to update the code to also allow 5 as a winning number, you’d need to update the condition in 10 different places. Using a loop, you can change the code in one place and it will affect each iteration of the loop. If you ever find yourself copy/pasting code, there’s always a better way of achieving what you’re trying to do.
While Loops
Another often-used PHP control structure is the while loop. Where the if … else statement allows us to choose whether or not to execute a set of statements depending on some condition, the while loop allows us to use a condition to determine how many times we’ll execute a set of statements repeatedly.
The following image shows how a while loop operates:
The logical flow of a while loop
Here’s what a while loop looks like in code:
while (condition) {
⋮ statement(s) to execute repeatedly as long as condition is true
}
The while loop works very similarly to an if statement. The difference arises when the condition is true and the statement(s) are executed. Instead of continuing the execution with the statement that follows the closing brace (}), the condition is checked again. If the condition is still true, the statement(s) are executed a second time, and a third, and will continue to be executed as long as the condition remains true. The first time the condition evaluates false (whether it’s the first time it’s checked, or the 101st), the execution jumps immediately to the statement that follows the while loop, after the closing brace.
Loops like these come in handy whenever you’re working with long lists of items, but for now I’ll illustrate with a trivial example, counting to ten:
PHP-WhileCount
while ($count <= 10) {
echo $count . ' ';
++$count;
}
This works in exactly the same way as a for loop, and you’ll notice a lot of the same statements in different places. This code may look a bit frightening, I know, but let me talk you through it line by line:
$count = 1;. The first line creates a variable called$countand assigns it a value of1.while ($count <= 10). The second line is the start of awhileloop, the condition being that the value of$countis less than or equal (<=) to 10.{. The opening brace marks the beginning of the block of conditional code for thewhileloop. This conditional code is often called the body of the loop, and is executed over and over again, as long as the condition holds true.echo $count . ' ';. This line simply outputs the value of$count, followed by a space.++$count;. The fourth line adds one to the value of$count.++$countis a shortcut for$count = $count + 1.$count++will also work here! The position of the++can be important, but in this case it doesn’t matter. If the++is before the variable name, the counter is incremented before the value is read. When$countis zero, the codeecho ++$count;will print1, whereasecho $count++;will print0. Be careful when using++, as putting it in the wrong place can cause bugs.}. The closing brace marks the end of thewhileloop’s body.
So here’s what happens when this code is executed. The first time the condition is checked, the value of $count is 1, so the condition is definitely true. The value of $count (1) is output, and $count is given a new value of 2. The condition is still true the second time it’s checked, so the value (2) is output and a new value (3) is assigned. This process continues, outputting the values 3, 4, 5, 6, 7, 8, 9, and 10. Finally, $count is given a value of 11, and the condition is found to be false, which ends the loop.
The net result of the code is shown in the following image:
The net result of the while loop code
While loops aren’t generally used for simple counters like this, which is normally the job of the for loop. Although you can create a counter with a while loop, usually they’re used to keep running code until something happens. For example, we might want to keep rolling the dice until we get a six. There’s no way to know how many dice rolls will be needed when we write the code: it could take one roll or hundreds to get a six. So you can place the dice roll in a while loop:
PHP-DiceRoll-While
$roll = 0;
while ($roll != 6) {
$roll = rand(1, 6);
echo '<p>You rolled a ' . $roll . '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck
next time!</p>';
}
}
This will keep rolling the dice until a 6 is rolled. Each time you run the code it will take a different number of rolls before you win.
The while statement uses the condition $roll != 6. In order for the while loop to be run the first time, the $roll variable must be set to a value for the initial comparison. That’s the purpose of the $roll = 0; line above the while loop. By setting the value to zero initially, when the while loop runs the first time, while ($roll != 6) will evaluate to true (because $roll is equal to zero, not 6!) and the loop will start. Without this line, you’d get an error, because the $roll variable hadn’t been set to anything before it was used.
There’s a variant of the while loop called do … while, which is useful in these kinds of cases. It allows you to run some code without a condition and then run it again if the code isn’t set. This takes the following structure:
do {
statement(s) to execute and then repeat if the condition is true
}
while (condition);
For the dice roll example above, this allows you to ignore the first line:
PHP-DiceRoll-DoWhile
do {
$roll = rand(1, 6);
echo '<p>You rolled a ' . $roll . '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck next time!</p>';
}
}
while ($roll != 6);
This time, because the condition is at the bottom, by the time the while statement is run, the $roll variable has been given a value, so you don’t need to give it an initial value of zero to force the loop to run the first time.
PSR-2
PHP doesn't mind how you format your code and whitespace is ignored. You could express the previous example as:
do {
$roll = rand(
1,
6);
echo 'You rolled a ' .
$roll . '';
if (
$roll == 6
)
{
echo 'You win!';
}
else
{
echo 'Sorry, you didn't win, better luck next
time!';
}
}
while ($roll != 6);
The script will execute in the exact same way. Different programmers have different preferred styles, such as using tabs or spaces for indentation, or placing the opening brace on the same line as the statement or after it. Throughout this book I'll be using a convention known as PSR-2 but use whatever style you feel most comfortable with.
Arrays
An array is a special kind of variable that contains multiple values. If you think of a variable as a box that contains a value, an array can be thought of as a box with compartments where each compartment is able to store an individual value.
To create an array in PHP, use square brackets [ and ] containing the values you want to store, separated by commas:
$myArray = ['one', 2, '3'];
The array Keyword
Arrays in PHP can also be defined using the array keyword. The following code is equivalent to the square bracket notation above:
$myArray = array('one', 2, 3);
The square bracket notation was introduced in PHP 5.4 and is preferred by PHP developers, as it’s less to type, and square brackets are more easily visible among round brackets in control structures like if statements and while loops.
/p>
This code creates an array called $myArray that contains three values: 'one', 2, and '3'. Just like an ordinary variable, each space in an array can contain any type of value. In this case, the first and third spaces contain strings, while the second contains a number.
To access a value stored in an array, you need to know its index. Typically, arrays use numbers as indices to point to the values they contain, starting with zero. That is, the first value (or element) of an array has index 0, the second has index 1, the third has index 2, and so on. Therefore, the index of the nth element of an array is n–1. Once you know the index of the value you’re interested in, you can retrieve that value by placing that index in square brackets after the array variable name:
echo $myArray[0]; // outputs 'one'
echo $myArray[1]; // outputs '2'
echo $myArray[2]; // outputs '3'
Each value stored in an array is called an element. You can use a key in square brackets to add new elements, or assign new values to existing array elements:
$myArray[1] = 'two'; // assign a new value
$myArray[3] = 'four'; // create a new element
You can also add elements to the end of an array using the assignment operator as usual, but leaving empty the square brackets that follow the variable name:
$myArray[] = 'five';
echo $myArray[4]; // outputs 'five'
Array elements can be used like any other variable, and in a lot of cases choosing to use an array or multiple variables will depend on the programmer’s preference. However, arrays can be used to solve problems that normal variables can’t!
Remember the dice game from the last section? It would be more user-friendly if it showed the English word rather than the numeral for the result. For example, instead of “You rolled a 3” or “You rolled a 6”, it might be nicer to read “You rolled a three” or “You rolled a six”.
To do this, we need some way of converting from a numeral to the English word for that number. This is possible with a series of if statements:
PHP-DiceRoll-English-If
$roll = rand(1, 6);
if ($roll == 1) {
$english = 'one';
}
else if ($roll == 2) {
$english = 'two';
}
else if ($roll == 3) {
$english = 'three';
}
else if ($roll == 4) {
$english = 'four';
}
else if ($roll == 5) {
$english = 'five';
}
else if ($roll == 6) {
$english = 'six';
}
echo '<p>You rolled a ' . $english . '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck next time!</p>';
}
This solution works, but it’s very inefficient, as you need to write an if statement for each possible dice roll. Instead, you can use an array to store each roll value:
$english = [
1 => 'one',
2 => 'two',
3 => 'three',
4 => 'four',
5 => 'five',
6 => 'six'
];
The => notation allows you to define both the keys and the values when creating the array. This is equivalent to:
$english = [];
$english[1] = 'one';
$english[2] = 'two';
$english[3] = 'three';
$english[4] = 'four';
$english[5] = 'five';
$english[6] = 'six';
Although these are equivalent, the code required to use the shorthand notation is a lot quicker to type, is arguably easier to read, and easier to understand.
Now that the array is created, it’s possible to read each English word from it:
echo $english[3]; //Prints "three"
echo $english[5]; //Prints "five"
In PHP, a number like 3 it can be replaced with a variable that contains that value. This is also possible with array keys. For example:
$var1 = 3;
$var2 = 5;
echo $english[$var1]; //Prints "three"
echo $english[$var2]; //Prints "five"
Knowing this, we can piece it all together and adjust the dice game to display the English word of the dice roll by reading the relevant value from the array using the $roll variable:
PHP-DiceRoll-English-Array
$english = [
1 => 'one',
2 => 'two',
3 => 'three',
4 => 'four',
5 => 'five',
6 => 'six'
];
$roll = rand(1, 6);
echo '<p>You rolled a ' . $english[$roll]
. '</p>';
if ($roll == 6) {
echo '<p>You win!</p>';
}
else {
echo '<p>Sorry, you didn't win, better luck
next time!</p>';
}
As you can see, this is a lot cleaner and tidier than a long list of if statements. There are two big advantages here:
- If you wanted to represent a 10-sided dice, it’s a lot easier to add to the array than add an extra
ifstatement for each number. - The array is reusable. For the version with two dice, you can just reuse the
$englisharray rather than repeating all theifstatements for each dice roll:
PHP-DiceRoll-English-If-TwoDice
$roll1 = rand(1, 6);
$roll2 = rand(1, 6);
if ($roll1 == 1) {
$english = 'one';
}
else if ($roll1 == 2) {
$english = 'two';
}
else if ($roll1 == 3) {
$english = 'three';
}
else if ($roll1 == 4) {
$english = 'four';
}
else if ($roll1 == 5) {
$english = 'five';
}
else if ($roll1 == 6) {
$english = 'six';
}
if ($roll2 == 1) {
$englishRoll2 = 'one';
}
else if ($roll2 == 2) {
$englishRoll2 = 'two';
}
else if ($roll2 == 3) {
$englishRoll2 = 'three';
}
else if ($roll2 == 4) {
$englishRoll2 = 'four';
}
else if ($roll2 == 5) {
$englishRoll2 = 'five';
}
else if ($roll2 == 6) {
$englishRoll2 = 'six';
}
echo '<p>You rolled a ' . $english . ' and a '
. $englishRoll2 . '</p>';
Instead, the array can be used for both rolls:
PHP-DiceRoll-English-Array-TwoDice
$english = [
1 => 'one',
2 => 'two',
3 => 'three',
4 => 'four',
5 => 'five',
6 => 'six'
];
$roll1 = rand(1, 6);
$roll2 = rand(1, 6);
echo '<p>You rolled a ' . $english[$roll1] . ' and
a ' . $english[$roll2] . '</p>';
While numbers are the most common choice for array indices, there’s another possibility. You can also use strings as indices to create what’s called an associative array. It’s called this because it associates values with meaningful indices. In this example, we associate a date (in the form of a string) with each of three names:
$birthdays['Kevin'] = '1978-04-12';
$birthdays['Stephanie'] = '1980-05-16';
$birthdays['David'] = '1983-09-09';
Like the numerical indexes, you can use the shorthand notation for associative arrays as well:
$birthdays = [
'Kevin' => '1978-04-12',
'Stephanie' => '1980-05-16',
'David' => '1983-09-09'
];
Now, if we want to know Kevin’s birthday, we look it up using the name as the index:
echo 'Kevin's birthday is: ' . $birthdays['Kevin'];
This type of array is especially important when it comes to user interaction in PHP, as we’ll see in the next section. I’ll demonstrate other uses of arrays throughout this book.
Escaping Quotes
Because Kevin's contains an apostrophe (single quote) and PHP would see this as the end of the string, it must be escaped with a so that PHP treats it as part of the string, rather than marking the end.
User Interaction and Forms
For most database-driven websites these days, you need to do more than dynamically generate pages based on database data. You also need to provide some degree of interactivity, even if it’s just a search box.
Veterans of JavaScript tend to think of interactivity in terms of event listeners, which let you react directly to the actions of the user—for example, the movement of the cursor over a link on the page. Server-side scripting languages such as PHP have a more limited scope when it comes to support for user interaction. As PHP code is only activated when a request is made to the server, user interaction occurs solely in a back-and-forth fashion: the user sends requests to the server, and the server replies with dynamically generated pages.To some extent, the rise of Ajax techniques in the JavaScript world in recent years has changed this. It’s now possible for JavaScript code—responding to a user action such as mouse movement—to send a request to the web server, invoking a PHP script. For the purposes of this book, however, we’ll stick to non-Ajax applications. If you’d like to learn all about Ajax, check out JavaScript: Novice to Ninja by Darren Jones: http://www.sitepoint.com/books/jsninja2/.
The key to creating interactivity with PHP is to understand the techniques we can employ to send information about a user’s interaction, along with a request for a new web page. As it turns out, PHP makes this quite easy.
Passing Variables in Links
The simplest way to send information along with a page request is to use the URL query string. If you’ve ever noticed a URL containing a question mark that follows the filename, you’ve seen this technique in use. For example, if you search for “SitePoint” on Google, it will take you to a search result page with a URL like this:
http://www.google.com/search?hl=en&q=SitePoint
See the question mark in the URL? The text that follows the question mark contains your search query (SitePoint). That information is being sent along with the request for http://www.google.com/search.
Let’s code up an easy example of our own. Create a regular HTML file called name.html (no .php filename extension is required, since there won’t be any PHP code in this file) and insert this link:
<a href="name.php?name=Kevin">Hi, I’m Kevin!</a>
This is a link to a file called name.php, but as well as linking to the file, you’re also passing a variable along with the page request. The variable is passed as part of the query string, which is the portion of the URL that follows the question mark. The variable is called name, and its value is Kevin. So, you’ve created a link that loads name.php, and informs the PHP code contained in that file that name equals Kevin.
To really understand the effect of this link, we need to look at name.php. Create it as a new HTML file, but this time, note the .php filename extension: this tells the web server that it can expect to interpret some PHP code in the file. In the body of this new web page, type the following:
PHP-GET
$name = $_GET['name'];
echo 'Welcome to our website, ' . $name . '!';
?>
Now, put these two files (name.html and name.php) in the Project folder, and load the first file in your browser (the URL should be http://192.168.10.10/name.html). Click the link in that first page to request the PHP script. The resulting page should say “Welcome to our website, Kevin!”, as shown in the following image:
The welcome message, seen in the browser
Let’s take a closer look at the code that made this possible. This is the most important line:
$name = $_GET['name'];
Using what you learned from the Arrays section above, you may be able to figure out what this line does. It assigns the value stored in the 'name' element of the array called $_GET to a new variable called $name. But where does the $_GET array come from?
It turns out that $_GET is one of a number of variables that PHP automatically creates when it receives a request from a browser. PHP creates $_GET as an array variable that contains any values passed in the URL query string. $_GET is an associative array, so the value of the name variable passed in the query string can be accessed as $_GET['name']. Your name.php script assigns this value to an ordinary PHP variable ($name), then displays it as part of a text string using an echo statement:
echo 'Welcome to our website, ' . $name . '!';
The value of the $name variable is inserted into the output string using the string concatenation operator (.) that we looked at in the Variables, Operators, and Comments section.
But watch out! There’s a security hole lurking in this code! Although PHP is an easy programming language to learn, it turns out it’s also especially easy to introduce security issues into websites using PHP if you’re unaware of what precautions to take. Before we go any further with the language, I want to make sure you’re able to spot and fix this particular security issue, since it’s probably the most common one on the Web today.
The security issue here stems from the fact that the name.php script is generating a page containing content that’s under the control of the user—in this case, the $name variable. Although the $name variable will normally receive its value from the URL query string in the link on the name.html page, a malicious user could edit the URL to send a different value for the name variable.
To see how this would work, click the link in name.html again. When you see the resulting page (with the welcome message containing the name “Kevin”), take a look at the URL in the address bar of your browser. It should look similar to this:
http://192.168.10.10/name.php?name=Kevin
Edit the URL to insert a <b> tag before the name and a </b> tag following the name:
http://192.168.10.10/name.php?name=<b>Kevin</b>
Hit Enter to load this new URL, and note that the name in the page is now bold, as shown in the following image:You might notice that some browsers will automatically convert the < and > characters into URL escape sequences (%3C and %3E respectively), but either way, PHP will receive the same value.
The name shown in bold
See what’s happening here? The user can type any HTML code into the URL, and your PHP script includes it in the code of the generated page without question. If the code is as innocuous as a <b> tag, there’s no problem, but a malicious user could include sophisticated JavaScript code that performs some low action like stealing the user’s password. All the attacker would have to do is publish the modified link on some other site under the attacker’s control, and then entice one of your users to click it. The attacker could even embed the link in an email and send it to your users. If one of your users clicked the link, the attacker’s code would be included in your page and the trap would be sprung!
I hate to scare you with this talk of malicious hackers attacking your users by turning your own PHP code against you, particularly when you’re only just learning the language. The fact is that PHP’s biggest weakness as a language is how easy it is to introduce security issues like this. Some might say that much of the energy you spend learning to write PHP to a professional standard is spent on avoiding security issues. The sooner you’re exposed to these issues, however, the sooner you become accustomed to avoiding them, and the less of a stumbling block they’ll be for you in future.
So, how can we generate a page containing the user’s name without opening it up to abuse by attackers? The solution is to treat the value supplied for the $name variable as plain text to be displayed on your page, rather than as HTML to be included in the page’s code. This is a subtle distinction, so let me show you what I mean.
Open up your name.php file again and edit the PHP code it contains so that it looks like this:
PHP-GET-Sanitized
<?php
$name = $_GET['name'];
echo 'Welcome to our website, ' .
htmlspecialchars($name, ENT_QUOTES, 'UTF-8') . '!';
?>
There’s a lot going on in this code, so let me break it down for you. The first line is the same as it was previously, assigning to $name the value of the 'name' element from the $_GET array. But the echo statement that follows it is drastically different. Whereas previously we simply dumped the $name variable, naked, into the echo statement, this version of the code uses the built-in PHP function htmlspecialchars to perform a critical conversion.
Remember, the security hole occurs because, in name.php, HTML code in the $name variable is dumped directly into the code of the generated page, and can therefore do anything that HTML code can do. What htmlspecialchars does is convert “special HTML characters” like < and > into HTML character entities like < and >, which prevents them from being interpreted as HTML code by the browser. I’ll demonstrate this for you in a moment.
First, let’s take a closer look at this new code. The call to the htmlspecialchars function is the first example in this book of a PHP function that takes more than one argument. Here’s the function call all by itself:
htmlspecialchars($name, ENT_QUOTES, 'UTF-8')
The first argument is the $name variable (the text to be converted). The second argument is the PHP constant.A PHP constant is like a variable whose value you’re unable to change. Unlike variables, constants don’t start with a dollar sign. PHP comes with a number of built-in constants like ENT_QUOTES that are used to control built-in functions like htmlspecialchars./span> ENT_QUOTES, which tells htmlspecialchars to convert single and double quotes in addition to other special characters. The third parameter is the string 'UTF-8', which tells PHP what character encoding to use to interpret the text you give it.
Text Encoding
You may have discerned that all the example HTML pages in this book contain the following meta tag near the top:
<meta charset="utf-8">
This tag tells the browser receiving this page that the HTML code of the page is encoded as UTF-8 text.
UTF-8 is one of many standards for representing text as a series of ones and zeros in computer memory, called character encodings. If you’re curious to learn all about character encodings, check out http://www.sitepoint.com/article/guide-web-character-encoding/.
In a few pages, we’ll reach the section on “Passing Variables in Forms”. By encoding your pages as UTF-8, your users can submit text containing thousands of foreign characters that your site would otherwise be unable to handle.
Unfortunately, many of PHP’s built-in functions, such as htmlspecialchars, assume you’re using the much simpler ISO-8859-1 (or Latin-1) character encoding by default. Therefore, you need to let them know you’re using UTF-8 when utilizing these functions.
If you can, you should also tell your text editor to save your HTML and PHP files as UTF-8 encoded text. This is only required if you want to type advanced characters (such as curly quotes or dashes) or foreign characters (like “é”) into your HTML or PHP code. The code in this book plays it safe and uses HTML entity references (for example, ’ for a curly right quote), which will work regardless.
Open up name.html in your browser and click the link that now points to your updated name.php. Once again, you’ll see the message “Welcome to our website, Kevin!” As you did before, modify the URL to include <b> and </b> tags surrounding the name:
http://192.168.10.10/name.php?name=<b>Kevin</b>
When you hit Enter this time, instead of the name turning bold in the page, you should see the actual text that you typed as shown in the following image:
It sure is ugly, but it’s secure!
If you view the source code of the page, you can confirm that the htmlspecialchars function did its job and converted the < and > characters into the < and > entity references respectively. This prevents malicious users from injecting unwanted code into your site. If they try anything like that, the code is harmlessly displayed as plain text on the page.
We’ll make extensive use of the htmlspecialchars function throughout this book to guard against this sort of security hole. No need to worry too much if you’re having trouble grasping the details of how to use it just at the minute. Before long, you’ll find its use becomes second nature. For now, let’s look at some more advanced ways of passing values to PHP scripts when we request them.
Passing a single variable in the query string was nice, but it turns out you can pass more than one value if you want to! Let’s look at a slightly more complex version of the previous example. Open up your name.html file again, and change the link to point to name.php with this more complicated query string:
<a href="name.php?firstname=Kevin&lastname=Yank">
Hi, I’m Kevin Yank!</a>
This time, our link passes two variables: firstname and lastname. The variables are separated in the query string by an ampersand (&, which should be written as & in HTML—yes, even in a link URL! … although, if you do wrongly use &, browsers will mostly fix it for you). You can pass even more variables by separating each name=value pair from the next with an ampersand.
As before, we can use the two variable values in our name.php file:
PHP-GET-TwoVars
$firstName = $_GET['firstname'];
$lastName = $_GET['lastname'];
echo 'Welcome to our website, ' .
htmlspecialchars($firstName, ENT_QUOTES, 'UTF-8') . ' ' .
htmlspecialchars($lastName, ENT_QUOTES, 'UTF-8') . '!';
?>
The echo statement is becoming quite sizable now, but it should still make sense to you. Using a series of string concatenations (.), it outputs “Welcome to our website,” followed by the value of $firstName (made safe for display using htmlspecialchars), a space, the value of $lastName (again, treated with htmlspecialchars), and finally an exclamation mark.
The result looks like this:
The echoed welcome
This is all well and good, but we’re still yet to achieve our goal of true user interaction, where the user can enter arbitrary information and have it processed by PHP. To continue with our example of a personalized welcome message, we’d like to invite the user to type their name and have it appear in the resulting page. To enable the user to type in a value, we’ll need to use an HTML form.
Passing Variables in Forms
Rip the link out of name.html and replace it with this HTML code to create the form:
PHP-GET-Form
<form action="name.php" method="get">
<label for="firstname">First name:</label>
<input type="text" name="firstname" id="firstname">
<label for="lastname">Last name:</label>
<input type="text" name="lastname" id="lastname">
<input type="submit" value="GO">
</form>
This is how the browser displays the form produced from this code:
The form as it appears in a browser
Adding Some CSS
I’ve added some CSS to the form (available in form.css in the sample code) to make it look a little prettier. The CSS I’ve used is very generic, and can be used to display any form in the format label-input-line break. I’ll be including this CSS file on any page that contains a form.
Since this is a book about PHP and MySQL, however, I won’t go into detail about how the CSS works. Check out SitePoint’s The CSS3 Anthology for advice on styling your forms with CSS.
This form has the exact same effect as the second link we looked at in the “Passing Variables in Links” section above (with firstname=Kevin&lastname=Yank in the query string), except that you can now enter whichever names you like. When you click the submit button (labeled GO), the browser will load name.php and add the variables and their values to the query string for you automatically. It retrieves the names of the variables from the name attributes of the type="text" inputs, and obtains the values from the text typed into the text fields by the user.
The method attribute of the form tag is used to tell the browser how to send the variables and their values along with the request. A value of get (as used in name.html above) causes them to be passed via the query string (and appear in PHP’s $_GET array), but there is an alternative. It can be undesirable—or even technically unfeasible—to have the values appear in the query string. What if we included a textarea element in the form, to let the user enter a large amount of text? A URL whose query string contained several paragraphs of text would be ridiculously long, and would possibly exceed the maximum length for a URL in today’s browsers. The alternative is for the browser to pass the information invisibly, behind the scenes.
Edit your name.html file once more. Modify the form method by setting it to post:
<form action="name.php" method="post">
<label for="firstname">First name:</label>
<input type="text" name="firstname" id="firstname">
<label for="lastname">Last name:</label>
<input type="text" name="lastname" id="lastname">
<input type="submit" value="GO">
</form>
This new value for the method attribute instructs the browser to send the form variables invisibly as part of the page request, rather than embedding them in the query string of the URL.
As we’re no longer sending the variables as part of the query string, they stop appearing in PHP’s $_GET array. Instead, they’re placed in another array reserved especially for “posted” form variables: $_POST. We must therefore modify name.php to retrieve the values from this new array:
PHP-POST-Form
<?php
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
echo 'Welcome to our website, ' .
htmlspecialchars($firstname, ENT_QUOTES, 'UTF-8') . ' ' .
htmlspecialchars($lastname, ENT_QUOTES, 'UTF-8') . '!';
?>
Here’s what the resulting page looks like once this new form is submitted:
The resulting page once the form is submitted
The form is functionally identical to the previous one. The only difference is that the URL of the page that’s loaded when the user clicks the GO button will be without a query string. On the one hand, this lets you include large values (or sensitive values such as passwords and credit card numbers) in the data that’s submitted by the form without them appearing in the query string. On the other hand, if the user bookmarks the page that results from the form’s submission, that bookmark will be useless, as it lacks the submitted values. This, incidentally, is the main reason why search engines use the query string to submit search terms. If you bookmark a search results page on Google, you can use that bookmark to perform the same search again later, because the search terms are contained in the URL.
GET or POST?
As a rule of thumb, you should only use GET forms if, when the form is submitted, nothing on the server changes—such as when you’re requesting a list of search results. Because the search terms are in the URL, the user can bookmark the search results page and get back to it without having to type in the search term again. But if, after submitting the form, a file is deleted, or a database is updated, or a record is inserted, you should use POST. The primary reason for this is that if a user bookmarks the page (or presses back in their browser) it won’t trigger the form submission again and potentially create a duplicate record.
That covers the basics of using forms to produce rudimentary user interaction with PHP. We’ll look at more advanced issues and techniques in later examples.
Hiding the Seams
You’re now armed with a working knowledge of the basic syntax of the PHP programming language. You understand that you can take any HTML web page, rename it with a .php file name extension, and inject PHP code into it to generate page content on the fly. Not bad for a day’s work!
Before we go any further, however, I want to stop and cast a critical eye over the examples we’ve discussed so far. Assuming your objective is to create database-driven websites that hold up to professional standards, there are a few unsightly blemishes we need to clean up.
The techniques in the rest of this chapter will help advance your programming skills beyond the beginner level, giving them a certain professional polish. I’ll rely on these techniques throughout the rest of this book to ensure that, no matter how simple the example, you can feel confident in the quality of the product you’re delivering.
PHP Templates
In the simple examples we’ve seen so far, inserting PHP code directly into your HTML pages has been a reasonable approach. As the amount of PHP code that goes into generating your average page grows, however, maintaining this mixture of HTML and PHP code can become unmanageable.
Particularly if you work in a team of not-so-savvy web designers, PHP-wise, having large blocks of cryptic PHP code intermingled with the HTML is a recipe for disaster. It’s far too easy for designers to accidentally modify the PHP code, causing errors they’ll be unable to fix.
A much more robust approach is to separate out the bulk of your PHP code so that it resides in its own file, leaving the HTML largely unpolluted by PHP code.
The key to doing this is the PHP include statement. With an include statement, you can insert the contents of another file into your PHP code at the point of the statement. To show you how this works, let’s rebuild the “count to ten” for loop example we looked at earlier.
Start by creating a new file, count.php, in this directory. Open the file for editing and type in this code:
<?php
$output = '';
for ($count = 1; $count <= 10; $count++) {
$output .= $count . ' ';
}
include 'count.html.php';
Yes, that’s the complete code for this file. It contains no HTML code whatsoever. The for loop should be familiar to you by now, but let me point out the interesting parts of this code:
- Instead of
echoing out the numbers 1 to 10, this script will add these numbers to a variable named$output. At the start of this script, therefore, we set this variable to contain an empty string. - The line
$output .= $count . ' ';adds each number (followed by a space) to the end of the$outputvariable. The.=operator you see here is a shorthand way of adding a value to the end of an existing string variable, by combining the assignment and string concatenation operators into one. The longhand version of this line is$output = $output . $count . ' ';, but the.=operator saves you some typing. - The
includestatement instructs PHP to execute the contents of thecount.html.phpfile at this location.Outside of this book, you’ll often seeincludes coded with parentheses surrounding the filename, as ifincludewere a function likedateorhtmlspecialchars, which is far from the case. These parentheses, when used, only serve to complicate the filename expression, and are therefore avoided in this book. The same goes forecho, another popular one-liner. You can think of theincludestatement as a kind of copy and paste. You would get the same result by opening upcount.html.php, copying the contents and pasting them intocount.php, overwriting theincludeline. - Finally, you might have noticed that the file doesn’t end with a
?>to match the opening<?php. You can put it in if you really want to, but it’s unnecessary. If a PHP file ends with PHP code, there’s no need to indicate where that code ends; the end of the file does it for you. The big brains of the PHP world generally prefer to leave it off the end of files like this one that contain only PHP code.
Since the final line of this file includes the count.html.php file, you should create this next:
PHP-Count-Template
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Counting to Ten</title>
</head>
<body>
<p>
<?php echo $output; ?>
</p>
</body>
</html>
This file is almost entirely plain HTML, except for the one line that outputs the value of the $output variable. This is the same $output variable that was created by the index.php file.
What we’ve created here is a PHP template: an HTML page with only very small snippets of PHP code that insert dynamically generated values into an otherwise static HTML page. Rather than embedding the complex PHP code that generates those values in the page, we put the code to generate the values in a separate PHP script—index.php in this case.
Using PHP templates like this enables you to hand over your templates to HTML-savvy designers without worrying about what they might do to your PHP code. It also lets you focus on your PHP code without being distracted by the surrounding HTML code.
I like to name my PHP template files so that they end with .html.php. As far as your web server is concerned, though, these are still .php files; the .html.php suffix serves as a useful reminder that these files contain both HTML and PHP code.
Security Concerns
One problem with separating out the HTML and PHP code into different files is that someone could potentially run the .html.php code without having had it included from a corresponding PHP file. This isn’t a big problem, but anyone could visit count.html.php directly. If you type http://192.168.10.10/count.html.php into your web browser, instead of seeing the count from one to ten, you'll see an error message: Notice: Undefined variable: output in /home/vagrant/Code/Project/public/count.html.php on line 9.
It’s better not to let people run code in a manner you’re not expecting. Depending on what the page is doing, this might let them bypass security checks you have in place and view content they shouldn’t have access to. For example, consider the following code:
if ($_POST['password'] == 'secret') {
include 'protected.html.php';
}
Looking at this code, it appears that you need to submit a form and type secret in the password box to see the protected content in protected.html.php. However, if someone can navigate directly to protected.html.php and see the contents of the page, it makes the security check redundant. There are other potential security issues introduced by making all your files accessible via a URL. Avoiding security problems like these is easy. You can actually include files from a directory other than the public directory.
You may have wondered earlier why we created a Project directory and then wrote all our files to the public directory inside Project. Well, this issue of security is the reason why. None of the files outside the public directory are accessible via a URL (by someone typing the file name into their web browser).
The include command can be tweaked to include files from another directory. In our case, that directory is going to the Project directory, which contains the files we’ve been working on so far.
So the question is, when the include file is in a different directory, how does a PHP script find it? The most obvious method is to specify the location of the include file as an absolute path. Here’s how this would look on a Windows server:
<?php include 'C:/Program Files/Apache Software Foundation/Apache2.2/protected.html.php'; ?>
And here’s how it would look using the Homestead Improved box:
<?php include '/home/vagrant/Code/Project/protected.html.php'; ?>
While this method will work, it’s undesirable because it ties your site’s code to your web server configuration. Ideally, you should be able to drop your PHP-based website onto any PHP-enabled web server and just watch it run. This is particularly important because many developers will build a site on one server, then deploy it publicly on a different server. That’s impractical if your code refers to drives and directories that are specific to one particular server. Even if you do have the luxury of working on a single server, you’ll be kicking yourself if you ever need to move your website to another drive/directory on that server.
A better method is to use a relative path. That is, the location of a file relative to the current file. When you use include 'count.html.php' this is actually a relative path, count.html.php is being included from the same directory as the script that was executed.
To include a file from the directory above, you can use the following code:
include '../count.html.php';
../ tells PHP to look for the file in the directory above the directory of the current script. It will look for count.html.php in the Project directory instead of the public directory.
Go ahead and move count.html.php up a level into the Project directory and amend count.php to reference the new location:
PHP-Count-Template-Secured
<?php
$output = '';
for ($count = 1; $count <= 10; $count++) {
$output .= $count . ' ';
}
include '../count.html.php';
If you run the code above, it will work. But there’s a potential problem when you include files in this way. Relative paths are relative to the script that was run, not to each file.
That is, if you open up Project/count.html.php and add the line include 'count2.html.php'; you would expect count2.html.php to be included from the Project directory. However, the path is relative to something called the current working directory, which, when you run a PHP script, is initially set to the directory that script is stored in. So running include 'count2.html.php'; from count.html.php will actually try to load count2.html.php from the public directory!
The current working directory is set at the start of the script and applies to all the include statements, regardless of what file they are in. To make things even more confusing, it’s possible to change the current working directory using the chdir() function.
Because of this, we can’t rely on this:
include '../count.html.php';
It will work, but if the directory is changed, or count.php itself is an include file, it may not have the result we’re expecting.
To overcome this, we do actually need to use relative paths. Luckily, PHP provides a constant called __DIR__ (that’s two underscores, before and after the word DIR) which will always contain the path that contains the current file.
For example, you could create a file called dir.php inside the public directory with the following code:
echo __DIR__;
This will display /home/vagrant/Code/Project/public, which is the full path to the directory containing dir.php. To read count.html.php from the directory above public, it’s possible to combine the /../ operator and the __DIR__ constant:
include __DIR__ . '/../count.html.php';
This will now include the file /home/vagrant/Code/Project/public/../count.html. That is, PHP will look in the public directory, then go up one level into Project and include count.html.php.
This approach will work on any server, because __DIR__ will differ depending on where the file is stored, and it doesn’t depend on the changing current working directory. I’ll be using this approach for including files throughout this book.
From now on, we’ll only write files to the public directory that we actually want users to be able to access directly from their web browser. The public directory will contain any PHP scripts the user needs to access directly along with any images, JavaScript and CSS files required by the browser. Any files only referenced by an include statement will be placed outside the public directory so users can’t access them directly.
As the book goes on, I’m going to introduce you to several different types of include files. To keep things organized, it’s sensible to store different types of include file in different directories. We’ll store template files (with a .html.php extension) inside a directory called templates inside the Project folder. We can then reference them in an include statement using include __DIR__ . '../templates/file.html.php';.
Many Templates, One Controller
What’s nice about using include statements to load your PHP template files is that you can have multiple include statements in a single PHP script, as well as have it display different templates under various circumstances!
A PHP script that responds to a browser request by selecting one of several PHP templates to fill in and send back is commonly called a controller. A controller contains the logic that controls which template is sent to the browser.
Let’s revisit one more example from earlier in this chapter: the welcome form that prompts a visitor for a first and last name.
We’ll start with the PHP template for the form. For this, we can just reuse the name.html file we created earlier. Create a directory templates inside Project if you haven’t already, and save a copy of name.html called form.html.php into this directory. The only code you need to change in this file is the action attribute of the form tag:
PHP-Form-Controller
<html>
<head>
<title>Enter your name</title>
<link rel="stylesheet" href="form.css" />
<meta charset="utf-8">
</head>
<body>
<form action="" method="post">
<label for="firstname">First name:</label>
<input type="text" name="firstname" id="firstname">
<label for="lastname">Last name:</label>
<input type="text" name="lastname" id="lastname">
<input type="submit" value="GO">
</form>
</body>
</html>
As you can see, we’re leaving theaction attribute blank. This tells the browser to submit the form back to the same URL it received it from—in this case, the URL of the controller that included this template file.
Let’s take a look at the controller for this example. Create an index.php inside the public directory containing the following code:
<?php
if (!isset($_POST['firstname'])) {
include __DIR__ . '/../templates/form.html.php';
} else {
$firstName = $_POST['firstname'];
$lastName = $_POST['lastname'];
if ($firstName == 'Kevin' && $lastName == 'Yank') {
$output = 'Welcome, oh glorious leader!';
} else {
$output = 'Welcome to our website, ' .
htmlspecialchars($firstName, ENT_QUOTES, 'UTF-8') . ' ' .
htmlspecialchars($lastName, ENT_QUOTES, 'UTF-8') . '!';
}
include __DIR__ . '/../templates/welcome.html.php';
}
This code should look quite familiar at first glance. It’s a lot like the name.php script we wrote earlier. Let me explain the differences:
The controller’s first task is to decide whether the current request is a submission of the form in
form.html.phpor not. You can do this by checking if the request contains afirstnamevariable. If it does, PHP will have stored the value in$_POST['firstname'].issetis a built-in PHP function that will tell you if a particular variable (or array element) has been assigned a value or not. If$_POST['firstname']has a value,isset($_POST['firstname'])will be true. If$_POST['firstname']is unset,isset($_POST['firstname'])will be false.For the sake of readability, I like to put the code that sends the form in my controller first. We need this
ifstatement to check if$_POST['firstname']is not set. To do this, we use the not operator (!). By putting this operator before the name of a function, you reverse the value that function returns—from true to false, or from false to true.Thus, if the request does not contain a
firstnamevariable, then!isset($_POST['firstname'])will return true, and the body of theifstatement will be executed.If the request is not a form submission, the controller includes the
form.html.phpfile to display the form.If the request is a form submission, the body of the
elsestatement is executed instead.This code pulls the
firstnameandlastnamevariables out of the$_POSTarray, and then generates the appropriate welcome message for the name submitted.Instead of
echoing the welcome message, the controller stores the welcome message in a variable named$output.After generating the appropriate welcome message, the controller includes the
welcome.html.phptemplate, which will display that welcome message.
All that’s left is to write the welcome.html.php into the templates directory. Here it is:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Form Example</title>
</head>
<body>
<p>
<?php echo $output; ?>
</p>
</body>
</html>
That’s it! Fire up your browser and point it at http://192.168.10.10/index.php. You’ll be prompted for your name, and when you submit the form, you’ll see the appropriate welcome message. The URL should stay the same throughout this process.
You’ll have noticed I asked you to name the file index.php instead of name.php or similar. The reason I used index.php is because it has a special meaning. index.php is known as a directory index. If you don’t specify a filename when you visit the URL in your browser, the server will look for a file named index.php and display that. Try typing just http://192.169.10.10 into your browser and you’ll see the index page.
Web Server Configuration
Web servers can have different configurations and specify a different file to be the directory index. However, on most web servers index.php will work without any further configuration.
One of the benefits of maintaining the same URL throughout this process of prompting the user for a name and displaying the welcome message is that the user can bookmark the page at any time during this process and gain a sensible result. Whether it’s the form page or the welcome message that’s bookmarked, when the user returns, the form will be present once again. In the previous version of this example, where the welcome message had its own URL, returning to that URL without submitting the form would have generated a broken welcome message (“Welcome to our website, !”), or a PHP error message if, like Homestead Improved, the server is running with error reporting enabled.
Remembering the User’s Name
In Chapter 11, I’ll show you how to remember the user’s name between visits.
Bring on the Database
In this chapter, we’ve seen the PHP server-side scripting language in action as we’ve explored all the basic language features: statements, variables, operators, comments, and control structures. The sample applications we’ve seen have been reasonably simple, but we’ve still taken the time to ensure they have attractive URLs, and that the HTML templates for the pages they generate are uncluttered by the PHP code that controls them.
As you may have begun to suspect, the real power of PHP is in its hundreds (even thousands) of built-in functions that let you access data in a MySQL database, send email, dynamically generate images, and even create Adobe Acrobat PDF files on the fly.
In Chapter 3, we’ll delve into the MySQL functions built into PHP, and then create a database of jokes. Then in Chapter 4, we’ll see how to publish the joke database we created to the Web. These tasks will set the scene for the ultimate goal of this book: to create a complete content management system for your website in PHP and MySQL.