Devinterview-io/php-interview-questions

🟣 PHP interview questions and answers to help you prepare for your next technical interview in 2024.

100 Must-Know PHP Interview Questions

You can also find all 100 answers here 👉 Devinterview.io - PHP

1. What does PHP stand for and what is its main purpose?

PHP originally represented "Personal Home Page," signifying its early focus on web development. It has since evolved to suggest "PHP: Hypertext Preprocessor," emphasizing its role in server-side scripting and building dynamic web content.

Core Functions

• Generating Dynamic Content: PHP is adept at generating dynamic web content, web pages, images, and more.
• Handling Form Data: It efficiently processes form data from HTML input fields.
• Accessing Databases: PHP can interact with databases, empowering dynamic content storage and management.
• Session Management: It enables web state management, crucial for maintaining user context across multiple requests.
• File System Interaction: PHP can manipulate files on the server filesystem.
• Email Sending: It provides the capability to send emails directly from the server.
• User Authentication: PHP can authenticate users and manage their access within web applications.

What PHP Is and Isn't

• Server-Side Scripting Language: PHP excels in orchestrating server operations, including complex storage and retrieval tasks.
• HTML Embedding Compatibility: Its syntax within web documents is reminiscent of HTML, interleaving with the content for seamless integration.
• Not Purely Object-Oriented: While it now supports object-oriented programming paradigms, it continues to offer primarily procedural constructs.
• Text Pre-Processor and Interpreter: PHP initially parses embedded code within text via the pre-processor, swiftly executing it to yield HTML or other output.

2. How do you execute a PHP script from the command line?

Executing a PHP script from the command line involves using the php CLI tool.

Using the php Command

To run a PHP script, use the following command:

php your_script.php

Arguments

• Input: The -f option allows you to provide a file.
• Output: Use -i to see the configuration, and -r to run a snippet without a script.
• When Installed: --run is an alternative for Unix systems without a shebang line.
• PHP Version: Use -v to check the installed PHP version.

Examples

• Running a File:

  php -f script.php

• Displaying PHP Info:

  php -i

• Running a Single Command:

  php -r 'echo "Hello, PHP!";'

Setting Up Environment Variables

You can configure PHP-specific environment variables, allowing for script customization or convenience. For example:

• Using a different configuration file: php -c <custom-config>.ini -f script.php
• Customizing extensions' path: PHP_INI_SCAN_DIR=/path/to/extensions php -f script.php

Managing the Standard Input/Output Channels

By default, PHP's CLI environment allows input from the terminal or using pipes. It prints output to the terminal.

Redirections and Pipelines, such as > or |, can be leveraged for customizing how input and output are handled.

Redirections

• Sending output to a file: php script.php > output.txt
• Appending to a file: php script.php >> output.txt
• Reading from a file: php script.php < input.txt

Pipelines

Pipelines can be used for more complex I/O operations. The following example involves running script.php, which produces a list of URLs, and then the crawler.php script visits each of those URLs:

php script.php | php crawler.php

Running PHP from Non-Unix Systems

On certain platforms, you might need to use php-cgi or specify the .exe extension. For instance:

• Windows: php-cgi.exe your_script.php
• macOS: /usr/bin/php your_script.php

It's also common to need to add PHP to your system's path or reference PHP from an absolute path.

3. Can you describe the differences between PHP 5 and PHP 7/8?

Migrating from PHP 5 to PHP 7/8 provides significant improvements in performance, security, and features. However, this transition involves several changes that need to be navigated.

Key Improvements in PHP 7/8

01. Scalar Type Declarations

• PHP 5: Lacked strict scalar typing.
• PHP 7/8: Supports both declare(strict_types=1); for individual files and scalar type hints (int, float, bool, string) in function/method signatures.

02. Return Type Declarations

• PHP 5: Couldn't specify return types.
• PHP 7/8: Enables declaring specific return types using inline notations.

03. Null Coalescing Operator:

• PHP 5: Absent.
• PHP 7/8: Introduced the ?? operator, streamlining null checks.

04. Spaceship Operator

• PHP 5: Lacked support.
• PHP 7/8: Introduced the <=> operator for clearer comparisons.

05. Constant Array/Object Definitions

• PHP 5: Limited to defined constants.
• PHP 7/8: Allows defining arrays and objects with the define keyword.

06. Anonymous Classes

• PHP 5: Lacked support for on-the-fly class definition.
• PHP 7/8: Introduced classes without explicit declarations.

07. Iterable Type Hint

• PHP 5: No specific hint for iterable types.
• PHP 7/8: Offers the iterable type hint, providing a generic type for traversable data structures.

08. CSPRNG Functions

• PHP 5: Weaker random number generation.
• PHP 7/8: Provides stronger cryptographic random number functions like random_bytes and random_int.

09. Anonymous Functions

• PHP 5: Required the use keyword for accessing outer scope.
• PHP 7/8: They are now able to automatically capture variables from the outer scope, which eases the syntax.

Changes in PHP 7 and 8

Nullable Return Types

• PHP 7.1: Introduced the ?Type notation to indicate that a function can return either the specified type or null.

Type Declaration Tweaks in PHP 7.4 and PHP 8

• PHP 7.4: The typed_properties=1 directive for strict typing at the class level.
• PHP 8: Introduced ::class constant that returns the class name.

Union Types

• PHP 8: Ability to specify union types in method/function signatures, defining multiple possible return types separated by vertical bars. Example: function foo(): int|bool.
• Initial PHP 7.1 Support: The iterable type hint was introduced in PHP 7.1.

Match Expressions

• PHP 8: Offers the match/case expression as a more precise and powerful variant of switch statements.

Named Arguments

• PHP 8: Allows passing arguments to functions based on their parameter names rather than positions, enhancing clarity.

4. What are the common ways to embed PHP into HTML?

While there are several ways to embed PHP within HTML, the <?php tag, which encloses PHP code, is the most widely used. It's important to note that the choice of method should align with the practical needs of your project.

Common Methods of Embedding PHP in HTML

PHP Short Tags (<? ... ?>)

• Advantages: More concise and readable.
• Drawbacks: Not always enabled; deprecated after PHP v7.0.

ASP-Style Tags (<% ... %>, <%= ... %>, <%# ... %>)

• Advantages: Familiar to ASP developers.
• Drawbacks: Not default behavior; must be enabled.

Script Tags (<script language="php"> ... </script>)

• Advantages: Can be useful in very specific cases.
• Drawbacks: phpBB and Bugs.

Apache Server Embedding (< ? ... ?>)

• Advantages: No need for PHP module.
• Drawbacks: Integration concerns.

Basic PHP Tag (<?php ... ?>)

These tags are always a safe choice and offer the highest compatibility across platforms.

Syntax

<?php
    // Your PHP code here
?>

It's worth noting that <?= is a shortcut equivalent to <?php echo, available in all versions beyond PHP v5.4.

Practical Use-Cases & Benefits

• Standardized, cross-platform approach.
• Compatible with all PHP builds and hosting environments.
• Enhanced readability and maintainability.

Code Playground

Here is the PHP code:

<!DOCTYPE html>
<html>
<head>
    <title>PHP in HTML</title>
</head>
<body>
    <?php
        $name = "John";
        echo "<h1>Welcome, $name!</h1>";
    ?>
</body>
</html>

5. How would you create a PHP variable and how are they scoped (global, local, static)?

PHP variables have diverse scopes, from being accessible globally by all scripts to being confined to defined functions or methods. They can be local, global, and static.

Local Scope

Variables defined within a function are locally scoped and inaccessible outside its body.

Example: Local Scope

Here is the PHP code:

function myFunc() {
   $localVar = "I am local";
   echo $localVar; // Outputs: I am local
}
myFunc();
echo $localVar; // Throws an error

Global Scope

Global variables can be accessed across the entire PHP script, including from within functions.

Example: Global Scope

Here is the PHP code:

$globalVar = "I am global";
function myFunc() {
   echo $globalVar; // Outputs: I am global
}
myFunc();
echo $globalVar; // Outputs: I am global

Function / Method Scope

Variables declared within a function or method are limited in scope to that block.

Example: Function Scope

Here is the PHP code:

function myFunc() {
   $functionVar = "I am function-scoped";
   echo $functionVar; // Outputs: I am function-scoped
}
myFunc();
echo $functionVar; // Throws an error

Static Scope

Static variables retain their values between function calls. They are still function-scoped.

Example: Static Scope

Here is the PHP code:

function counter() {
   static $count = 0;
   $count++;
   echo $count;
}
counter(); // Outputs: 1
counter(); // Outputs: 2
counter(); // Outputs: 3

Superglobals

In PHP, some special predefined arrays, such as $_POST and $_GET, are super global and have a global scope. They are accessible from any part of the code, including within functions and methods.

6. Explain the data types that are supported in PHP.

PHP supports various data types, each serving a distinct role.

Core Data Types

1. Integer (int in PHP 7, integer in earlier versions): Represents whole numbers, both positive and negative.

   • Example: $age = 30;

2. Floating-Point Number (float): Represents decimal numbers, also known as floats or doubles.

   • Example: $price = 9.99;

3. String (string): Signifies sequences of characters, enclosed within single or double quotes.

   • Example: $name = "John";

4. Boolean (bool): Represents logical states - true or false.

   • Example: $isStudent = true;

5. Resource: Placeholder for external resources, such as database connections.

6. Null: Denotes the absence of a value.

Compound Data Types

1. Array: A flexible and indexed data structure that can hold multiple values of different data types.

2. Object: Instances of defined classes that encapsulate data and behavior.

3. Callable: Ensures that a variable is a valid function or method.

4. Iterable: Introduced in PHP 7.1. Any data type that can be looped via foreach.

   • Example: array and Traversable (interface implemented by arrays and classes that are loop-able).

Special Types

PHP has two special types:

1. Pseudotype: These are not actual data types but are considered basic types in PHP.

2. Literal: Introduced in PHP 8, such as mixed, that can accept multiple primitive types.

Code Example: Complex Data Types

Here is the PHP code:

// Create associative array
$person = [
    'name' => 'Alice',
    'age' => 25,
    'isStudent' => true
];

// Define class
class Car {
    public $make;
    public $model;
    
    public function __construct($make, $model) {
        $this->make = $make;
        $this->model = $model;
    }
}

// Instantiate Car object
$myCar = new Car('Toyota', 'Corolla');

// Define function that takes callable parameter
function testFunction(callable $callback) {
    $callback();
}

// Call function and pass an anonymous function
testFunction(function() {
    echo "Callback executed!";
});

7. How does PHP handle error reporting?

In PHP, Error Handling can be configured using either .ini settings, programmatic functions, or a combination of both, offering developers great flexibility.

Configuration Modes

• Local (File-Specific): Adjusts settings for a specific PHP file using ini_set().
• Global: Modifies global PHP settings via php.ini or ini_set().

Enabling Error Reporting

1. Using Functions: error_reporting(E_ALL) enables all types of errors. To target specific error types, bitwise operators come in handy.

2. Using php.ini: Directly edit the php.ini file. Setting error_reporting to E_ALL enables comprehensive reporting.

3. Using ini_set(): For finer control, use ini_set('error_reporting', E_ALL) when you need to adjust settings on a per-file basis.

Or direct the errors to a display or a log:

• To display errors on the screen, configure display_errors as On.
• To log errors to a file, enable them by setting log_errors to On and define the log file with error_log.

Error Types

• E_NOTICE: Informs about non-critical discrepancies.

• E_WARNING: Alerts about more critical problems.

• E_ERROR: Indicates serious faults that halt script execution.

• E_PARSE: Arises from parse errors, such as syntax mistakes.

• E_STRICT: Suggests updates to code for better interoperability.

• E_DEPRECATED: Flags features that are outdated and might be removed in future versions.

• E_RECOVERABLE_ERROR: Major issues that still allow script execution.

Combining Flags

Developers can use error_reporting() in conjunction with bitwise operators to set multiple flags. For example:

• error_reporting(E_ALL & ~E_DEPRECATED) reports all errors except deprecation notices.
• error_reporting(E_ERROR | E_WARNING | E_PARSE) reports only errors, warnings, and parse errors.

Code Validator

Here is the PHP code:

// Enable error reporting
error_reporting(E_ALL);
ini_set('display_errors', 1);

// Generate a warning
$totalCost = 100;
$availableFunds = 50;
if ($totalCost > $availableFunds) {
    trigger_error("Insufficient funds!", E_USER_WARNING);
}

// Generate a fatal error
require 'non_existent_file.php';

// Will not reach this point due to the fatal error above
echo "This will never be displayed.";

8. What is the purpose of php.ini file?

The php.ini file is the configuration center for PHP settings, governing a range of operational aspects. It is an essential tool for managing a server's PHP environment.

Key Functions

• Settings Management: The file allows for the configuration of PHP settings, offering granular control over key directives such as memory_limit and error_reporting.

• Environment Tailoring: By modifying php.ini, developers can fine-tune PHP to best suit their specific applications and environments.

• Error and Security Settings: The file provides a centralized location to manage error reporting, display, and log settings, alongside various security-related configurations.

PHP Versions and Editions

• It's important to note that \foo` variable.

• The file can have different variations across PHP versions, and its absence can pose a problem when troubleshooting.

PHP Modes

• Per-Directory Basis: Some servers permit PHP settings to be defined locally within directories via .htaccess or lighttpd.conf files.
• Run-Time Editing: Certain settings can be reconfigured dynamically via ini_set during script execution.

Recommendations

• Runtime Security: Encrypt or protect the php.ini file to prevent unauthorized access, particularly in environments involving shared hosting.

• Centralized Management: Utilize Version Control Systems (VCS) or configuration management tools to maintain and track changes in the php.ini file.

• Regular Audits: Review the php.ini file periodically to ensure it aligns with security best practices and application requirements.

9. How do you define a constant in PHP?

In PHP, a constant is a named identifier whose value remains consistent during the execution of a script.

Key define() features

• Case-Sensitivity: Constants are not case-sensitive by default.
• Global Scope: Constants can be accessed from any part of the code without additional requirements.
• Value Types: Constants can hold values like integers, floats, strings, or arrays.

Syntax: define(NAME, value, case-insensitive)

• NAME: The designated constant name (specific naming rules apply).
• value: The constant's assigned literal value or expression.
• case-insensitive (Optional): A boolean flag (true for case-insensitive) determining if the constant's name is case-sensitive.

Code Example: Defining Constants

Here is the PHP code:

// Case-sensitive constant
define("GREETING", "Hello, World!");

// Case-insensitive constant
define("SITE_NAME", "MySite", true);

// Accessing constants
echo GREETING;   // Output: "Hello, World!"
echo SITE_NAME;  // Output: "MySite" or "MYSITE"

Best Practice

1. Unique Names: Use distinct, self-explanatory names to avoid unintended overwrites or misinterpretations.
2. Error Reporting: Pay attention to constant re-declarations or undefined constants to ensure script reliability.
3. Initialization: Ideally, constants should be defined within the script's beginning to ensure consistent values across the application.
4. Code Clarity: Employ uppercase letters and underscores to boost constant visibility and readability.
5. Constants Beyond Strings: While strings are frequently used, note that constants can store various data types like integers, floats, and arrays.

10. Can you describe the lifecycle of a PHP request?

Understanding the detailed lifecycle of a PHP request will help you optimize your web applications for better performance.

Stages of a PHP Request

1. Bootstrap

   • Code in your index.php file initializes the PHP environment.

2. Pre-Processing

   • PHP compiles the requested file into opcode, if necessary.
   • The Zend Engine, which powers PHP, loads necessary extensions and sets up internal structures.

3. Request Processing

   • PHP scripts execute from top to bottom, unless there's a redirect, error, or exit.

4. Output Buffering

   • The ob_ family of functions handles application output buffering.

5. Response

   • When execution completes, the built-up output is sent back to the webserver for final delivery to the client.

The Engine Behind the Scenes

• httpd: Apache and Nginx are popular HTTP servers that manage incoming requests.
• PHP Parser: Translates human-readable PHP code into machine-readable instructions.

Web Server Handover

• When a web server, such as Apache or Nginx, processes an incoming HTTP request, it detects PHP as the handler for .php files and launches the PHP parser.

Halted Behavior

One of the stumbling blocks for new PHP developers to get to grips with is that setting local redirects will halt script execution:

header('Location: /new_page.php');
exit;

One notable example of this behavior, especially in one-page (or one-script) applications, is the usage of the exit construct right after setting a location header. This abrupt exit can sometimes become problematic in larger projects or if not carefully managed. It is often more advisable to architect your applications with a more streamlined version of redirects and exits; consider using the "inverted if" approach to reduce nested levels.

11. Explain the use of sessions in PHP.

Sessions enable secure storage and retrieval of user information throughout their interaction with a web application.

Key Components

• Session Creation: Starts when a user accesses a web page and initializes a session, providing a unique session ID for that user.
• Data Persistence: Allows data to persist across different pages, often using session cookies.
• Data Lifetime: Information remains accessible during the user's visit and can be configured to extend over multiple visits.

Implementing Sessions in PHP

Starting a session in PHP is straightforward, and many frameworks handle this process automatically. Simply call session_start() at the beginning of each PHP script.

// Initialize session
session_start();

You can then use super-global variable $_SESSION to store and retrieve data.

Methods of Starting a Session

• Automatic: Set session.auto_start to 1 in php.ini, and the session begins for all pages.
• Manual: Starts when a PHP script calls session_start() explicitly.

Configuring Session Parameters

You can control session behavior and security using session_start() and session_set_cookie_params(). Here's the breakdown:

• Session timeout: Set the session lifetime using session.gc_maxlifetime. Sessions might be deleted by the PHP garbage collector if not accessed within this time.
• Cookie parameters: Configure session cookies for secure, HTTP-only, and domain-specific behavior.
• Token-based protection: Use CSRF tokens to safeguard against Cross-Site Request Forgery.

Security Measures

Sessions are highly valuable but require vigilance for security. Here are some best practices:

• SSL/TLS Encryption: Secure the entire session with a proper SSL/TLS certificate.
• Session Fixation Prevention: Generate a fresh session ID upon user authentication to deter session fixation attacks.
• Session Hijacking Prevention: Regularly switch session IDs and restrict sessions to the user's IP address or user agent if feasible.

12. How does PHP support cookies?

Cookies are HTTP headers that help websites remember users. In PHP, you can achieve seamless cookie management using built-in functions.

PHP Functions for Cookie Handling

• setcookie: Creates a new cookie or modifies an existing one.

• $_COOKIE: A global associative array that holds all set cookies, accessible from any script.

• $_COOKIE[ 'cookieName' ]: Particularly useful for reading cookie values.

• Example of Setcookie: Take a look!

  // Set cookie with a value that expires in 24 hours
  setcookie('username', 'JohnDoe', time()+86400, '/', '.example.com', true);

Common Cookie Parameters

• Name: The cookie's unique identifier.
• Value: Data associated with the cookie.
• Expiration: Time when the cookie should expire.
• Path: The directory for which the cookie is valid.
• Domain: The domain for which the cookie is valid.
• Secure: Specifies if the cookie should be sent only over secure (HTTPS) connections.
• HttpOnly: When set to true, the cookie is accessible only through HTTP protocols.

13. Describe the _$_GET, _$POST, and _$REQUEST superglobal arrays.

Each of these superglobal arrays in PHP helps manage input data, but they have distinct characteristics and use-cases.

Key Features

• $_GET is URL-based. It extracts data from the query string. In other words, data is visible in the URL.

• $_POST is form-based. It's suitable for handling sensitive or large data as it's not visible in the URL.

• $_REQUEST is a combination of $_GET, $_POST, and $_COOKIE. If a parameter is accessible in multiple arrays, $_REQUEST uses the one with the highest precedence. However, its use is largely depreciated because it makes debugging and code maintenance more difficult. It's better to be specific by using $_GET or $_POST where applicable.

14. How can you prevent form submission data from being injected with malicious code?

To prevent cross-site scripting (XSS) attacks on your website, it is crucial to validate and sanitize any data submitted through forms.

Key Anti-XSS Techniques

Manual Escaping

Escape form data using htmlspecialchars to convert special characters to HTML entities.

echo htmlspecialchars($_POST['input']);

JavaScript Sanitization

To prevent execution of JavaScript code, you can use:

• JavaScript replace method: Replace the less-than and greater-than characters with their HTML entities.

  $sanitized = str_replace(['<', '>'], ['&lt;', '&gt;'], $_POST['input']);

• JSON encoding for non-text data in hidden fields.

  $jsonEncoded = json_encode($_POST['data']);

Safe Back-End Handling

Always perform thorough server-side validation and ensure only intended actions are executed in response to form submissions:

• Database Prepared Statements: Use prepared statements alongside parameterized queries when interfacing with the database.
• Strict Input Validation: Enforce strict criteria for input data. For instance, use filter_var for emails or regex for defined patterns.
• Context-Aware Processing: Differentiate how the input will be used (e.g., in an email, as file content), and process accordingly.

Security Libraries

Frameworks and libraries often provide dedicated modules to fortify against XSS threats. For instance, Laravel supports various middlewares such as VerifyCsrfToken, which especially help in guarding against CSRF attacks.

Code

Here is the PHP code:

// Using htmlspecialchars for basic output
echo htmlspecialchars($_POST['input']);

// Using JSON to encode data going into hidden fields
$jsonEncoded = json_encode($_POST['data']);

// Using prepared statements for database queries
$stmt = $dbh->prepare("SELECT * FROM users WHERE username=?");
$stmt->execute([$_POST['username']]);

// Context-aware input verification
$filterOptions = [
    "email" => [
        "filter" => FILTER_VALIDATE_EMAIL,
        "flags" => FILTER_FLAG_EMAIL_UNICODE
    ]
];
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL, $filterOptions);

15. What is the significance of "htmlspecialchars" and "strip_tags" in PHP?

Both htmlspecialchars and strip_tags are crucial PHP functions that enhance security by mitigating Cross-Site Scripting (XSS) risks. They play specialized roles, catering to different requirements within web applications.

htmlspecialchars

The primary purpose of htmlspecialchars is to sanitize user input to render it harmless when displaying it on a web page. It achieves this by converting special characters into their respective HTML entities. By doing so, it prevents the accidental or unauthorized execution of HTML, JavaScript, or CSS, maintaining data integrity.

For instance, '<' is converted to "<", '>' to ">", '&' to "&", and quotes to their respective entity representations.

strip_tags

The comparative task of strip_tags is somewhat more brute-force. It's designed to remove any HTML and PHP tags from the input. This is a potential security risk and is often discouraged, but it might be suitable when an application needs bare-bones, text-only input.

Developers can further refine strip_tags by specifying allowable tags or attributes. However, it's still a less precise method compared to htmlspecialchars with its exact handling of special characters.

Best Practices for Security

For optimal data and user security, utilizing both functions is often the most recommended approach. This multi-layered strategy ensures that dangerous input goes through extensive sanitation measures.

When integrating user-generated content, especially in HTML contexts, it's crucial never to solely rely on strip_tags. Balancing both subtlety and thoroughness, htmlspecialchars is the more suitable choice in such scenarios.

Code Example: Multi-Layered Sanitization

Here is the PHP code:

$input = "<a href='#'>Malicious Link</a><script>alert('You have been hacked!')</script>";
$clean_html = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
$clean_text = strip_tags($input);

echo "Clean HTML: $clean_html\n";  // Outputs: &lt;a href='#'&gt;Malicious Link&lt;/a&gt;&lt;script&gt;alert('You have been hacked!')&lt;/script&gt;
echo "Clean Text: $clean_text\n";  // Outputs: Malicious Linkalert('You have been hacked!')

Explore all 100 answers here 👉 Devinterview.io - PHP