You are previewing Programming PHP, 3rd Edition.

Programming PHP, 3rd Edition

Cover of Programming PHP, 3rd Edition by Kevin Tatroe... Published by O'Reilly Media, Inc.
  1. Dedication
  2. Special Upgrade Offer
  3. Foreword
  4. Preface
    1. Audience
    2. Assumptions This Book Makes
    3. Contents of This Book
    4. Conventions Used in This Book
    5. Using Code Examples
    6. Safari® Books Online
    7. How to Contact Us
    8. Acknowledgments
      1. Kevin Tatroe
      2. Peter MacIntyre
  5. 1. Introduction to PHP
    1. What Does PHP Do?
    2. A Brief History of PHP
      1. The Evolution of PHP
      2. The Widespread Use of PHP
    3. Installing PHP
    4. A Walk Through PHP
      1. Configuration Page
      2. Forms
      3. Databases
      4. Graphics
  6. 2. Language Basics
    1. Lexical Structure
      1. Case Sensitivity
      2. Statements and Semicolons
      3. Whitespace and Line Breaks
      5. Literals
      6. Identifiers
      7. Keywords
    2. Data Types
      1. Integers
      2. Floating-Point Numbers
      3. Strings
      4. Booleans
      5. Arrays
      6. Objects
      7. Resources
      8. Callbacks
      9. NULL
    3. Variables
      1. Variable Variables
      2. Variable References
      3. Variable Scope
      4. Garbage Collection
    4. Expressions and Operators
      1. Number of Operands
      2. Operator Precedence
      3. Operator Associativity
      4. Implicit Casting
      5. Arithmetic Operators
      6. String Concatenation Operator
      7. Auto-increment and Auto-decrement Operators
      8. Comparison Operators
      9. Bitwise Operators
      10. Logical Operators
      11. Casting Operators
      12. Assignment Operators
      13. Miscellaneous Operators
    5. Flow-Control Statements
      1. if
      2. switch
      3. while
      4. for
      5. foreach
      6. try...catch
      7. declare
      8. exit and return
      9. goto
    6. Including Code
    7. Embedding PHP in Web Pages
      1. Standard (XML) Style
      2. SGML Style
      3. ASP Style
      4. Script Style
      5. Echoing Content Directly
  7. 3. Functions
    1. Calling a Function
    2. Defining a Function
    3. Variable Scope
      1. Global Variables
      2. Static Variables
    4. Function Parameters
      1. Passing Parameters by Value
      2. Passing Parameters by Reference
      3. Default Parameters
      4. Variable Parameters
      5. Missing Parameters
      6. Type Hinting
    5. Return Values
    6. Variable Functions
    7. Anonymous Functions
  8. 4. Strings
    1. Quoting String Constants
      1. Variable Interpolation
      2. Single-Quoted Strings
      3. Double-Quoted Strings
      4. Here Documents
    2. Printing Strings
      1. echo
      2. print()
      3. printf()
      4. print_r() and var_dump()
    3. Accessing Individual Characters
    4. Cleaning Strings
      1. Removing Whitespace
      2. Changing Case
    5. Encoding and Escaping
      1. HTML
      2. URLs
      3. SQL
      4. C-String Encoding
    6. Comparing Strings
      1. Exact Comparisons
      2. Approximate Equality
    7. Manipulating and Searching Strings
      1. Substrings
      2. Miscellaneous String Functions
      3. Decomposing a String
      4. String-Searching Functions
    8. Regular Expressions
      1. The Basics
      2. Character Classes
      3. Alternatives
      4. Repeating Sequences
      5. Subpatterns
      6. Delimiters
      7. Match Behavior
      8. Character Classes
      9. Anchors
      10. Quantifiers and Greed
      11. Noncapturing Groups
      12. Backreferences
      13. Trailing Options
      14. Inline Options
      15. Lookahead and Lookbehind
      16. Cut
      17. Conditional Expressions
      18. Functions
      19. Differences from Perl Regular Expressions
  9. 5. Arrays
    1. Indexed Versus Associative Arrays
    2. Identifying Elements of an Array
    3. Storing Data in Arrays
      1. Adding Values to the End of an Array
      2. Assigning a Range of Values
      3. Getting the Size of an Array
      4. Padding an Array
    4. Multidimensional Arrays
    5. Extracting Multiple Values
      1. Slicing an Array
      2. Splitting an Array into Chunks
      3. Keys and Values
      4. Checking Whether an Element Exists
      5. Removing and Inserting Elements in an Array
    6. Converting Between Arrays and Variables
      1. Creating Variables from an Array
      2. Creating an Array from Variables
    7. Traversing Arrays
      1. The foreach Construct
      2. The Iterator Functions
      3. Using a for Loop
      4. Calling a Function for Each Array Element
      5. Reducing an Array
      6. Searching for Values
    8. Sorting
      1. Sorting One Array at a Time
      2. Natural-Order Sorting
      3. Sorting Multiple Arrays at Once
      4. Reversing Arrays
      5. Randomizing Order
    9. Acting on Entire Arrays
      1. Calculating the Sum of an Array
      2. Merging Two Arrays
      3. Calculating the Difference Between Two Arrays
      4. Filtering Elements from an Array
    10. Using Arrays
      1. Sets
      2. Stacks
    11. Iterator Interface
  10. 6. Objects
    1. Terminology
    2. Creating an Object
    3. Accessing Properties and Methods
    4. Declaring a Class
      1. Declaring Methods
      2. Declaring Properties
      3. Declaring Constants
      4. Inheritance
      5. Interfaces
      6. Traits
      7. Abstract Methods
      8. Constructors
      9. Destructors
    5. Introspection
      1. Examining Classes
      2. Examining an Object
      3. Sample Introspection Program
    6. Serialization
  11. 7. Web Techniques
    1. HTTP Basics
    2. Variables
    3. Server Information
    4. Processing Forms
      1. Methods
      2. Parameters
      3. Self-Processing Pages
      4. Sticky Forms
      5. Multivalued Parameters
      6. Sticky Multivalued Parameters
      7. File Uploads
      8. Form Validation
    5. Setting Response Headers
      1. Different Content Types
      2. Redirections
      3. Expiration
      4. Authentication
    6. Maintaining State
      1. Cookies
      2. Sessions
      3. Combining Cookies and Sessions
    7. SSL
  12. 8. Databases
    1. Using PHP to Access a Database
    2. Relational Databases and SQL
      1. PHP Data Objects
    3. MySQLi Object Interface
      1. Retrieving Data for Display
    4. SQLite
    5. Direct File-Level Manipulation
    6. MongoDB
      1. Retrieving Data
      2. Inserting More Complex Data
  13. 9. Graphics
    1. Embedding an Image in a Page
    2. Basic Graphics Concepts
    3. Creating and Drawing Images
      1. The Structure of a Graphics Program
      2. Changing the Output Format
      3. Testing for Supported Image Formats
      4. Reading an Existing File
      5. Basic Drawing Functions
    4. Images with Text
      1. Fonts
      2. TrueType Fonts
    5. Dynamically Generated Buttons
      1. Caching the Dynamically Generated Buttons
      2. A Faster Cache
    6. Scaling Images
    7. Color Handling
      1. Using the Alpha Channel
      2. Identifying Colors
      3. True Color Indexes
      4. Text Representation of an Image
  14. 10. PDF
    1. PDF Extensions
    2. Documents and Pages
      1. A Simple Example
      2. Initializing the Document
      3. Outputting Basic Text Cells
    3. Text
      1. Coordinates
      2. Text Attributes
      3. Page Headers, Footers, and Class Extension
      4. Images and Links
      5. Tables and Data
  15. 11. XML
    1. Lightning Guide to XML
    2. Generating XML
    3. Parsing XML
      1. Element Handlers
      2. Character Data Handler
      3. Processing Instructions
      4. Entity Handlers
      5. Default Handler
      6. Options
      7. Using the Parser
      8. Errors
      9. Methods as Handlers
      10. Sample Parsing Application
    4. Parsing XML with DOM
    5. Parsing XML with SimpleXML
    6. Transforming XML with XSLT
  16. 12. Security
    1. Filter Input
    2. Cross-Site Scripting
      1. SQL Injection
    3. Escape Output
      1. Filenames
    4. Session Fixation
    5. File Uploads
      1. Distrust Browser-Supplied Filenames
      2. Beware of Filling Your Filesystem
      3. Surviving register_globals
    6. File Access
      1. Restrict Filesystem Access to a Specific Directory
      2. Get It Right the First Time
      3. Don’t Use Files
      4. Session Files
      5. Concealing PHP Libraries
    7. PHP Code
    8. Shell Commands
    9. More Information
    10. Security Recap
  17. 13. Application Techniques
    1. Code Libraries
    2. Templating Systems
    3. Handling Output
      1. Output Buffering
      2. Compressing Output
    4. Error Handling
      1. Error Reporting
      2. Error Suppression
      3. Triggering Errors
      4. Defining Error Handlers
    5. Performance Tuning
      1. Benchmarking
      2. Profiling
      3. Optimizing Execution Time
      4. Optimizing Memory Requirements
      5. Reverse Proxies and Replication
  18. 14. PHP on Disparate Platforms
    1. Writing Portable Code for Windows and Unix
      1. Determining the Platform
      2. Handling Paths Across Platforms
      3. The Server Environment
      4. Sending Mail
      5. End-of-Line Handling
      6. End-of-File Handling
      7. External Commands
      8. Common Platform-Specific Extensions
    2. Interfacing with COM
      1. Background
      2. PHP Functions
      3. Determining the API
  19. 15. Web Services
    1. REST Clients
      1. Responses
      2. Retrieving Resources
      3. Updating Resources
      4. Creating Resources
      5. Deleting Resources
    2. XML-RPC
      1. Servers
      2. Clients
  20. 16. Debugging PHP
    1. The Development Environment
    2. The Staging Environment
    3. The Production Environment
    4. php.ini Settings
    5. Manual Debugging
    6. Error Log
    7. IDE Debugging
    8. Additional Debugging Techniques
  21. 17. Dates and Times
  22. A. Function Reference
    1. PHP Functions by Category
      1. Arrays
      2. Classes and Objects
      3. Date and Time
      4. Directories
      5. Errors and Logging
      6. Program Execution
      7. Filesystem
      8. Data Filtering
      9. Functions
      10. PHP Options/Info
      11. Mail
      12. Math
      13. Miscellaneous Functions
      14. Network
      15. Output Buffering
      16. Session Handling
      17. Streams
      18. Strings
      19. PHP Language Tokenizer
      20. URLs
      21. Variables
    2. Alphabetical Listing of PHP Functions
  23. Index
  24. About the Authors
  25. Colophon
  26. Special Upgrade Offer
  27. Copyright
O'Reilly logo

Encoding and Escaping

Because PHP programs often interact with HTML pages, web addresses (URLs), and databases, there are functions to help you work with those types of data. HTML, web page addresses, and database commands are all strings, but they each require different characters to be escaped in different ways. For instance, a space in a web address must be written as %20, while a literal less-than sign (<) in an HTML document must be written as &lt;. PHP has a number of built-in functions to convert to and from these encodings.


Special characters in HTML are represented by entities such as &amp; and &lt;. There are two PHP functions that turn special characters in a string into their entities: one for removing HTML tags, and one for extracting only meta tags.

Entity-quoting all special characters

The htmlentities() function changes all characters with HTML entity equivalents into those equivalents (with the exception of the space character). This includes the less-than sign (<), the greater-than sign (>), the ampersand (&), and accented characters.

For example:

$string = htmlentities("Einstürzende Neubauten");
echo $string;
Einstürzende Neubauten

The entity-escaped version (&uuml;—seen by viewing the source) correctly displays as ü in the rendered web page. As you can see, the space has not been turned into &nbsp;.

The htmlentities() function actually takes up to three arguments:

$output = htmlentities(input, quote_style, charset);

The charset parameter, if given, identifies the character set. The default is “ISO-8859-1.” The quote_style parameter controls whether single and double quotes are turned into their entity forms. ENT_COMPAT (the default) converts only double quotes, ENT_QUOTES converts both types of quotes, and ENT_NOQUOTES converts neither. There is no option to convert only single quotes. For example:

$input = <<< End
"Stop pulling my hair!"  Jane's eyes flashed.<p>

$double = htmlentities($input);
// &quot;Stop pulling my hair!&quot;  Jane's eyes flashed.&lt;p&gt;

$both = htmlentities($input, ENT_QUOTES);
// &quot;Stop pulling my hair!&quot;  Jane&#039;s eyes flashed.&lt;p&gt;

$neither = htmlentities($input, ENT_NOQUOTES);
// "Stop pulling my hair!"  Jane's eyes flashed.&lt;p&gt;

Entity-quoting only HTML syntax characters

The htmlspecialchars() function converts the smallest set of entities possible to generate valid HTML. The following entities are converted:

  • Ampersands (&) are converted to &amp;

  • Double quotes (") are converted to &quot;

  • Single quotes (') are converted to &#039; (if ENT_QUOTES is on, as described for htmlentities())

  • Less-than signs (<) are converted to &lt;

  • Greater-than signs (>) are converted to &gt;

If you have an application that displays data that a user has entered in a form, you need to run that data through htmlspecialchars() before displaying or saving it. If you don’t, and the user enters a string like "angle < 30" or "sturm & drang", the browser will think the special characters are HTML, resulting in a garbled page.

Like htmlentities(), htmlspecialchars() can take up to three arguments:

$output = htmlspecialchars(input, [quote_style, [charset]]);

The quote_style and charset arguments have the same meaning that they do for htmlentities().

There are no functions specifically for converting back from the entities to the original text, because this is rarely needed. There is a relatively simple way to do this, though. Use the get_html_translation_table() function to fetch the translation table used by either of these functions in a given quote style. For example, to get the translation table that htmlentities() uses, do this:

$table = get_html_translation_table(HTML_ENTITIES);

To get the table for htmlspecialchars() in ENT_NOQUOTES mode, use:

$table = get_html_translation_table(HTML_SPECIALCHARS, ENT_NOQUOTES);

A nice trick is to use this translation table, flip it using array_flip(), and feed it to strtr() to apply it to a string, thereby effectively doing the reverse of htmlentities():

$str = htmlentities("Einstürzende Neubauten"); // now it is encoded

$table = get_html_translation_table(HTML_ENTITIES);
$revTrans = array_flip($table);

echo strtr($str, $revTrans);  // back to normal
Einstürzende Neubauten

You can, of course, also fetch the translation table, add whatever other translations you want to it, and then do the strtr(). For example, if you wanted htmlentities() to also encode spaces to &nbsp;s, you would do:

$table = get_html_translation_table(HTML_ENTITIES);
$table[' '] = '&nbsp;';
$encoded = strtr($original, $table);

Removing HTML tags

The strip_tags() function removes HTML tags from a string:

$input  = '<p>Howdy, &quot;Cowboy&quot;</p>';
$output = strip_tags($input);
// $output is 'Howdy, &quot;Cowboy&quot;'

The function may take a second argument that specifies a string of tags to leave in the string. List only the opening forms of the tags. The closing forms of tags listed in the second parameter are also preserved:

$input  = 'The <b>bold</b> tags will <i>stay</i><p>';
$output = strip_tags($input, '<b>');
// $output is 'The <b>bold</b> tags will stay'

Attributes in preserved tags are not changed by strip_tags(). Because attributes such as style and onmouseover can affect the look and behavior of web pages, preserving some tags with strip_tags() won’t necessarily remove the potential for abuse.

Extracting meta tags

The get_meta_tags() function returns an array of the meta tags for an HTML page, specified as a local filename or URL. The name of the meta tag (keywords, author, description, etc.) becomes the key in the array, and the content of the meta tag becomes the corresponding value:

$metaTags = get_meta_tags('');
echo "Web page made by {$metaTags['author']}";
Web page made by John Doe

The general form of the function is:

$array = get_meta_tags(filename [, use_include_path]);

Pass a true value for use_include_path to let PHP attempt to open the file using the standard include path.


PHP provides functions to convert to and from URL encoding, which allows you to build and decode URLs. There are actually two types of URL encoding, which differ in how they treat spaces. The first (specified by RFC 3986) treats a space as just another illegal character in a URL and encodes it as %20. The second (implementing the application/x-www-form-urlencoded system) encodes a space as a + and is used in building query strings.

Note that you don’t want to use these functions on a complete URL, such as, as they will escape the colons and slashes to produce:

Only encode partial URLs (the bit after and add the protocol and domain name later.

RFC 3986 encoding and decoding

To encode a string according to the URL conventions, use rawurlencode():

$output = rawurlencode(input);

This function takes a string and returns a copy with illegal URL characters encoded in the %dd convention.

If you are dynamically generating hypertext references for links in a page, you need to convert them with rawurlencode():

$name = "Programming PHP";
$output = rawurlencode($name);
echo "http://localhost/{$output}";

The rawurldecode() function decodes URL-encoded strings:

$encoded = 'Programming%20PHP';
echo rawurldecode($encoded);
Programming PHP

Query-string encoding

The urlencode() and urldecode() functions differ from their raw counterparts only in that they encode spaces as plus signs (+) instead of as the sequence %20. This is the format for building query strings and cookie values. These functions can be useful in supplying form-like URLs in the HTML. PHP automatically decodes query strings and cookie values, so you don’t need to use these functions to process those values. The functions are useful for generating query strings:

$baseUrl = '';
$query = 'PHP sessions -cookies';
$url = $baseUrl . urlencode($query);
echo $url;


Most database systems require that string literals in your SQL queries be escaped. SQL’s encoding scheme is pretty simple—single quotes, double quotes, NUL-bytes, and backslashes need to be preceded by a backslash. The addslashes() function adds these slashes, and the stripslashes() function removes them:

$string = <<< EOF
"It's never going to work," she cried,
as she hit the backslash (\) key.
$string = addslashes($string);
echo $string;
echo stripslashes($string);
\"It\'s never going to work,\" she cried,
as she hit the backslash (\\) key.
"It's never going to work," she cried,
as she hit the backslash (\) key.


Some databases (Sybase, for example) escape single quotes with another single quote instead of a backslash. For those databases, enable magic_quotes_sybase in your php.ini file.

C-String Encoding

The addcslashes() function escapes arbitrary characters by placing backslashes before them. With the exception of the characters in Table 4-4, characters with ASCII values less than 32 or above 126 are encoded with their octal values (e.g., "\002"). The addcslashes() and stripcslashes() functions are used with nonstandard database systems that have their own ideas of which characters need to be escaped.

Table 4-4. Single-character escapes recognized by addcslashes() and stripcslashes()

ASCII value
















Call addcslashes() with two arguments—the string to encode and the characters to escape:

$escaped = addcslashes(string, charset);

Specify a range of characters to escape with the ".." construct:

echo addcslashes("hello\tworld\n", "\x00..\x1fz..\xff");

Beware of specifying '0', 'a', 'b', 'f', 'n', 'r', 't', or 'v' in the character set, as they will be turned into '\0', '\a', etc. These escapes are recognized by C and PHP and may cause confusion.

stripcslashes() takes a string and returns a copy with the escapes expanded:

$string = stripcslashes(escaped);

For example:

$string = stripcslashes('hello\tworld\n');
// $string is "hello\tworld\n"

The best content for your career. Discover unlimited learning on demand for around $1/day.