PHP For Beginners

Link

Recommended editors
- PhpStorm
- Visual Studio Code
  - PHP extension
    All-in-One PHP support - IntelliSense, Debug, Formatter, Code Lenses, Code Fixes, Linting, Refactoring, PHPUnit Tests, Web Server, and more.
- Sublime Text
Terminals
- macOS
  - Terminal.app
  - Warp
  - iTerm2
- Windows
  - Windows Terminal
Ways of installing PHP
- macOS and Linux
  - Homebrew
- Windows
- macOS, Windows & Linux
  - XAMPP
- Docker
Database clients
- TablePlus
- phpMyAdmin (MySQL only)

03 - Your First PHP Tag

<?php echo "Hello world"; ?>

04 - Variables

Statements end with a ;
Strings are concatenated with a .
Variables start with a $ sign
Strings can be single-quoted or double-quoted; variables are only evaluated in the latter

05 - Conditionals and Booleans

Conditions:

if (condition) {
  /* ... */
}
else {
  /* ... */
}

Alternative syntax with : and endif:

if (condition):
  /* ... */
else:
  /* ... */
endif;

<?= is shorthand for <?php echo and the semicolon is optional in this case

06 - Arrays

Arrays are declared like [ /* … */ ]

Loop:

foreach ($var as $i) {
  /* ... do something with $i ... */
}

Alternative syntax with : and endforeach, often used in views:

foreach ($var as $i):
  /* ... do something with $i ... */
endforeach;

When echo’ing a variable that should immediately be followed by some other text, we can wrap it in curly braces:
```
<?php echo "{$i}©"; ?>
```

07 - Associative Arrays

Array indices start at zero
Arrays can be indexed:
```
$books[2]
```
Arrays can be nested

Associative arrays are indexed by key instead of numbers:

$book = [
  'name' => 'Do Androids Dream of Electric Sheep',
  'author' => 'Philip K. Dick'
];

echo $book['name'];

08 - Functions and Filters

= assigns a value
== compares equality of value
=== compares equality of value and type

Function definition and parameters:

function filterByAuthor($books) {
  // ...
}

Returning data from a function:
```
return 'foo';
```

[] = appends a value to an array:

$filteredBooks = [];
$filteredBooks[] = $book;

09 - Lambda Functions

“Lambda functions” is the technical term for “anonymous functions”, i.e. functions that are not named (function foo(a) { }, called foo(b)), but may still be assigned to variables ($foo = function (a) { };, called $foo(b);).
array_filter is one of many useful functions included with PHP.

10 - Separate Logic From the Template

The last ?> on the page may be omitted (unless there is HTML after it)
Good idea to separate logic (e.g., accessing the database or other servers) from the HTML (also called the template or “view”)
For reuse or separation, code files can be “imported” using require or include

12 - Page Links

How not to do things: duplication of code

13 - PHP Partials

Controllers are responsible for accepting and processing an incoming request and providing a response

14 - Superglobals and Current Page Styling

var_dump converts the value of e.g. arrays and outputs them as a string
“Superglobals”, such as $_GET, $_POST, $_SERVER, are available from anywhere
die() exits processing
Ternary operator expr ? if_truthy : else as a shorthand for if/else

15 - Make a PHP Router

A router maps the URI to the corresponding controller
parse_url() splits a URI into path and query(string)
array_key_exists() checks if an array has a given key
http_response_code() sets the HTTP status code
Remember: For variables to be substituted within strings, the string must be enclosed in double quotes, and the variable must be enclosed in (a single set of) curly brackets
Set a default for a parameter to make it optional, e.g.:

function foo($var = 12345) { /* ... */ }

16 - Create a MySQL Database

Install MySQL 8.0 on Ubuntu 22.04 running in WSL:

sudo apt install -y mysql-server-8.0
sudo /etc/init.d/mysql start

Create a database for this course:

sudo mysql -e "CREATE DATABASE myapp;"

17 - PDO First Steps

Classes 101
- Think of a class like a blueprint for anything
- Functions within a class are called “methods”
- The default visibility for a class method is “public”, but it is good coding style to declare that explicitly
  - Other visibilities are e.g. “protected” and “private”
- Instances of classes are called “objects”
- Class members on objects are accessed with the -> characters, e.g.:
```
class Person {
  public $name;
}

$person = Person();
$person->name = 'John Doe';
```
- Within a method (class function), the current object can be accessed using the $this keyword/variable
Remember: The string concatenation character is . (a dot)
Installing and enabling the PDO MySQL driver for the CLI server (assuming PHP 8.1 on Ubuntu 22.04 installed using the Ondřej Surý PPA):
```
sudo apt install php8.1-mysql
sudo phpenmod pdo_mysql
```
phpenmod, phpdismod and phpquery are tools for enabling, disabling and viewing the status of PHP modules, they are included in the php-common package (on Ubuntu 22.04)

Creating a MySQL user for the demo/course app:

CREATE USER 'myapp'@'localhost' IDENTIFIED BY 'SOME_SUPER_SECURE_PASSWORD_GOES_HERE';
GRANT ALL ON myapp.* TO 'myapp'@'localhost';
FLUSH PRIVILEGES;

For the demo to work, I had to change the host in the DSN from “localhost” to “127.0.0.1”.

18 - Extract a PHP Database Class

The constructor method is called __construct() in PHP.
If the PHP file only contains a class, the convention is to start the file name with a capital letter.

19 - Environments and Configuration Flexibility

The “scope resolution operator” :: gives access to constants (“static values”) defined in a class, e.g. we used it when referencing PDO::FETCH_ASSOC-
http_build_query() converts an associative array to a querystring
A PHP file can return something - and that return value can be assigned to a variable in another file using the require statement
- Good for e.g. configuration values

20 - SQL Injection Vulnerabilities Explained

To avoid SQL injection, substitute any dynamic (user-provided) values in SQL statements with ? or :name placeholders, and bind the actual values by providing them as an array to the execute() method

21 - Database Tables and Indexes

Unique indices prevent multiple rows from having the same value in the same column (e.g. multiple users having the same email address)
Foreign keys reference other tables
ON UPDATE/ON DELETE configure rules to keep the database integrity intact, e.g. here to automatically delete all of a user’s notes when the user gets deleted

22 - Render the Notes and Note Page

23 - Introduction to Authorization

Trying to fetch a non-existing result (no rows) from the database results in the return value false

24 - Programming is Rewriting

25 - Intro to Forms and Request Methods

Good coding style / conventions:
- Start all controllers/views/etc. related to the same “class”/topic with the same expression, e.g.:
- If one controller relates to one view - call the files the same
- A plural route (“/notes”) should show a list of items of that type
- A singular route (“/note/ID-SLUG”) should show a single note with that ID/slug
All form input fields should have a corresponding name, which will often be the same as the property/database column
GET requests should be idempotent (not changing data on the server/database, except request logging obviously)
POST request data can be accessed using the superglobal $_POST

26 - Always Escape Untrusted Input

Always assume that the user is guilty (i.e. malicious) until proven otherwise
htmlspecialchars() converts HTML code to plain text (no risk of XSS when displaying it)

27 - Intro to Form Validation

Use client-side validation to provide faster feedback to the regular user, but server-side validation to avoid abuse by malicious actors (or users with Javascript disabled for some reason)
isset() can be used to determine if a variable exists (including whether a key exists in an associate array) and is set to something else than null
The “null coalescing operator” ??, introduced in PHP 7, uses the following value if the preceding one does not exist, e.g. the following snippets are equivalent:
```
<?= isset($_POST['body']) ? $_POST['body'] : '' ?>
```
```
<?= $_POST['body'] ?? '' ?>
```
strlen() returns the length of a string

28 - Extract a Simple Validator Class

trim() removes whitespace from the beginning and end of a string
INF is a global constant for “infinity”, i.e. the largest number
A “pure function” does not require any state from the outside (“self-contained”; only relying on its input to produce its output)
Methods which are pure functions can be made “static”, which means they can be called directly using the class and the :: operator, without having to instantiate an object of the class first
filter_var() can e.g. be used for validating that something looks like a valid email address

29 - Resourceful Naming Conventions

__DIR__ gives the directory of the current file

30 - PHP Autoloading and Extraction

The path to the project root is often called BASE_PATH.
Constants are declared using the const keyword and do not start with a $ sign.
extract() turns an array into a set of (declared) variables
spl_autoload_register() can be used to autoload classes and avoid the issue of having to require them (and the risk of requiring them twice, resulting in an error about duplicate declaration)

31 - Namespacing: What, Why, How?

The namespace keyword is used to declare a namespace in PHP
Namespaces are used to prevent conflicts between classes that have the same name and can be used to organize code by grouping related classes together
When using a namespaced file, use the use keyword to “import” it
str_replace() replaces occurances of strings in strings with other strings
DIRECTORY_SEPARATOR is a global constant that contains the current operating system’s directory separator (e.g., / or \)
By now it should be obvious that the convention is to name constants with all capital letters 😀
Every class mentioned in a “namespaced” class is assumed to be in the same namespace
To reference a class in the “global” namespace (i.e. without a namespace), prefix it with the \ (backslash) character
Instead, one can also use a class from the global namespace, which also serves as a sort of documentation (answering the question “which other classes are used within this class?”)