Skip to main content

Anki Cards: PHP Core Terminology

PHP Terminology (Core Concepts) 🧠

  1. A single execution of PHP code to respond to an HTTP request (or CLI run) is called a {{c1::script}} (or a {{c2::request}}).
  2. PHP is typically executed by an {{c1::interpreter}} (the {{c2::PHP engine}}), not compiled ahead-of-time like C/C++.
  3. PHP is a {{c1::server-side}} language: the browser receives the {{c2::output}} (e.g., HTML/JSON), not your {{c3::PHP source}}.
  4. PHP can run in {{c1::web server mode}} (responding to HTTP) or in {{c2::CLI}} (command line).
  5. PHP’s execution model is usually {{c1::stateless per request}}; to persist data across requests you need {{c2::sessions}}, {{c3::cookies}}, or a {{c4::database}}.
  6. In modern PHP, you typically install libraries using {{c1::Composer}} and load them via {{c2::autoloading}}.

Superglobals & HTTP Basics 🌐

  1. The superglobal for query-string parameters is {{c1::$_GET}}.
  2. The superglobal for form-body parameters (common with POST forms) is {{c1::$_POST}}.
  3. Request metadata (method, headers info, paths, etc.) is found in {{c1::$_SERVER}}.
  4. Uploaded file metadata lives in {{c1::$_FILES}}.
  5. Cookie values are in {{c1::$COOKIE}}; server-side session data is in {{c2::$SESSION}} (after {{c3::session_start()}}).
  6. A common safe-read pattern is: \$q = \$_GET['q'] {{c1::??}} '' (null-coalescing default).
  7. To redirect a browser you use {{c1::header(‚Location: …‘)}} and then immediately call {{c2::exit}}.
  8. You can set the HTTP status code in PHP using {{c1::http_response_code(404)}} (or another code).

Security Essentials (Validation, Sanitization, Escaping) 🛡️

  1. “Is this input allowed?” is {{c1::validation}}; “make it cleaner/safer” is {{c2::sanitization}}; “make it safe to display” is {{c3::escaping}}.
  2. Preventing XSS primarily requires {{c1::escaping on output}} in the correct context (HTML, attribute, JS, URL).
  3. The go-to HTML escaping function is {{c1::htmlspecialchars}} with flags like {{c2::ENT_QUOTES}} and encoding {{c3::UTF-8}}.
  4. SQL Injection is prevented by using {{c1::prepared statements}} (e.g., via {{c2::PDO}}) instead of string concatenation.
  5. CSRF is mitigated using {{c1::anti-CSRF tokens}} (WordPress: {{c2::nonces}}).
  6. Passwords should be stored with {{c1::password_hash}} and checked with {{c2::password_verify}}—never with plain hashing like MD5.
  7. A secure mindset rule: never trust types from {{c1::$GET}}/{{c2::$POST}}; always {{c3::validate}} and {{c4::cast/allowlist}}.

PHP Output & Debugging 🧪

  1. The most common way to output text is {{c1::echo}} (a language construct).
  2. print is similar to echo but it {{c1::returns}} {{c2::1}}.
  3. For type + value debugging, use {{c1::var_dump($x)}}.
  4. For readable array/object output, use {{c1::print_r($x)}} (optionally with {{c2::true}} to return the string).
  5. To stop execution immediately, use {{c1::die()}} or {{c2::exit()}}.
  6. “Headers already sent” errors often occur because you produced {{c1::output}} (even whitespace) before calling {{c2::header()}}.

Includes & File Loading 📁

  1. If a file is missing, {{c1::require}} triggers a {{c2::fatal error}}, while {{c3::include}} only raises a warning and continues.
  2. To ensure a file is loaded at most once, use {{c1::require_once}} or {{c2::include_once}}.
  3. A best-practice for paths is using {{c1::DIR}} to build absolute-ish paths (e.g., require __DIR__ . '/vendor/autoload.php';).
  4. In “pure PHP” files, it’s common to omit the closing tag {{c1::?>}} to prevent accidental whitespace output.

Control Flow (Conditionals & Loops) 🔁

  1. A standard conditional chain is {{c1::if}} → {{c2::elseif}} → {{c3::else}}.
  2. switch requires explicit {{c1::break}} to avoid {{c2::fall-through}}.
  3. match (PHP 8+) is an {{c1::expression}} that {{c2::returns a value}} and uses {{c3::strict comparison}}.
  4. The most common loop for arrays is {{c1::foreach}}.
  5. To get both key and value in foreach: foreach (\$arr as {{c1::\$k}} => {{c2::\$v}}) { ... }.
  6. break exits a loop; {{c1::continue}} skips to the next iteration.
  7. A do { ... } while (...); loop runs the body at least {{c1::once}}.

Functions & Scope 🧩

  1. A function can declare a return type using function f(): {{c1::int}} { ... }.
  2. Function parameters can have defaults like function f(\$x = {{c1::123}}).
  3. Variables inside a function are local unless declared {{c1::global}} (use sparingly).
  4. A static local variable in a function {{c1::persists between calls}}.
  5. In PHP, functions can be {{c1::passed as callables}} (e.g., to array_map).
  6. Anonymous functions use function() {}; arrow functions use {{c1::fn}}(\$x) => ... (short syntax).

Errors & Exceptions 🚨

  1. Exception handling uses try { ... } catch ({{c1::Throwable}} \$e) { ... } finally { ... }.
  2. You can raise an exception with {{c1::throw}} new Exception('message');.
  3. finally runs whether an exception is thrown or not: it’s ideal for {{c1::cleanup}}.
  4. In production, you generally {{c1::log errors}} rather than displaying them to users.

Variables, Types, and “Type Juggling” 🧱

  1. PHP variables start with the symbol {{c1::$}}.
  2. PHP supports “type juggling,” meaning it may {{c1::auto-convert}} types (string ↔ int, etc.).
  3. To enforce stricter scalar type checking, add {{c1::declare(strict_types=1);}} at the top of a file.
  4. Common scalar types are {{c1::int}}, {{c2::float}}, {{c3::string}}, {{c4::bool}}.
  5. The special type representing “no value” is {{c1::null}}.
  6. To cast to integer, use {{c1::(int)}}\$x; to cast to string, use {{c2::(string)}}\$x.
  7. A notorious truthiness gotcha: the string {{c1::'0'}} is {{c2::falsy}} in PHP.

Operators & Comparisons ⚖️

  1. Loose equality {{c1::}} performs type juggling; strict equality {{c2::=}} compares {{c3::type and value}}.
  2. “Not equal” operators are {{c1::!=}} (loose) and {{c2::!==}} (strict).
  3. String concatenation uses the dot operator: \$full = \$a {{c1::.}} \$b;.
  4. Concatenate-and-assign uses {{c1::.=}}.
  5. The null coalescing operator is {{c1::??}} (useful for defaults).
  6. The nullsafe operator is {{c1::?->}} (avoids errors when the left side is null).
  7. The ternary operator is {{c1::condition}} ? {{c2::A}} : {{c3::B}}.
  8. The spaceship operator {{c1::<=>}} returns -1/0/1 for sorting-like comparisons.

Strings (Everyday Tools) 🧵

  1. Single-quoted strings do {{c1::not}} interpolate variables; double-quoted strings {{c2::do}}.
  2. Get a string length with {{c1::strlen}}.
  3. Find a substring position with {{c1::strpos}} (remember it can return {{c2::0}} which is not “falsey-safe”).
  4. Extract part of a string using {{c1::substr}}.
  5. Replace text with {{c1::str_replace}}.
  6. Remove surrounding whitespace with {{c1::trim}}.
  7. Split a string into an array with {{c1::explode}}; join an array into a string with {{c2::implode}}.
  8. Use formatted strings with {{c1::sprintf}} (e.g., %s, %d).
  9. For multi-byte strings (e.g., UTF-8), prefer functions like {{c1::mb_strlen}} over strlen when correctness matters.

Arrays (Workhorse Structures) 🧰

  1. An indexed array literal uses brackets: \$a = {{c1::[10, 20, 30]}};.
  2. An associative array uses key/value pairs: ['name' {{c1::=>}} 'Ada'].
  3. Append to an array with \$a{{c1::[]}} = 99;.
  4. Array size is obtained with {{c1::count}}.
  5. Check if a value exists in an array with {{c1::in_array}} (consider {{c2::strict mode}} via the third parameter).
  6. Check if a key exists with {{c1::array_key_exists}}.
  7. Transform an array with {{c1::array_map}}; keep items with {{c2::array_filter}}; fold into one value with {{c3::array_reduce}}.
  8. Combine arrays with {{c1::array_merge}}; get keys with {{c2::array_keys}}; get values with {{c3::array_values}}.
  9. Sorting: sort sorts by values and reindexes; {{c1::asort}} preserves keys; {{c2::ksort}} sorts by keys.
  10. To destructure arrays: [$a, $b] = {{c1::$arr}}; (list unpacking).

Constants & Configuration 🧷

  1. Define a global constant with {{c1::define(‚NAME‘, ‚value‘)}}.
  2. Define a constant with const (often in classes) as {{c1::const VERSION}} = '1.0.0';.
  3. Environment-specific settings are often stored in {{c1::environment variables}} (e.g., loaded via .env in some frameworks).

OOP (Classes, Visibility, and Keywords) 🏛️

  1. Create an object instance using {{c1::new}} (e.g., new User()).
  2. Property/method access on the current object uses {{c1::$this->}}.
  3. Visibility keywords: {{c1::public}}, {{c2::protected}}, {{c3::private}}.
  4. Inheritance uses {{c1::extends}}; interfaces use {{c2::implements}}.
  5. {{c1::abstract}} classes can’t be instantiated directly.
  6. {{c1::trait}} is a mechanism for code reuse across classes.
  7. Static access uses {{c1::ClassName::}}member (scope resolution operator).
  8. Inside a class, {{c1::self::}} refers to the current class; {{c2::parent::}} refers to the parent class.
  9. A constructor method is named {{c1::__construct}}.

Composer & Autoloading ⚙️

  1. The dependency manifest is {{c1::composer.json}}; the locked exact versions file is {{c2::composer.lock}}.
  2. Composer’s generated autoloader is typically {{c1::vendor/autoload.php}}.
  3. A common autoload standard is {{c1::PSR-4}} (maps namespaces to folder paths).
  4. After adding a dependency, you typically run {{c1::composer install}} (or {{c2::composer update}} with care).

Database (PDO Fundamentals) 🗄️

  1. PDO stands for {{c1::PHP Data Objects}} and provides a consistent DB interface.
  2. A recommended PDO error mode is {{c1::PDO::ATTR_ERRMODE}} set to {{c2::PDO::ERRMODE_EXCEPTION}}.
  3. A prepared statement is created with {{c1::$pdo->prepare(…)}} and executed with {{c2::$stmt->execute(…)}}.
  4. Named placeholders look like {{c1:::email}} and values are passed as an array like ['email' => {{c2::$email}}].
  5. Fetch one row as an associative array with {{c1::fetch}}(PDO::FETCH_ASSOC).
  6. After an INSERT, you can read the generated id with {{c1::$pdo->lastInsertId()}}.
  7. Best practice: set the DB charset to {{c1::utf8mb4}} for full Unicode support.

WordPress Parallels (If You Use WP) 🧩

  1. WordPress “do something now” hooks are {{c1::actions}} added via {{c2::add_action}}.
  2. WordPress “modify a value” hooks are {{c1::filters}} added via {{c2::add_filter}}.
  3. WordPress escaping helpers include {{c1::esc_html}}, {{c2::esc_attr}}, and {{c3::esc_url}}.
  4. WordPress sanitizers include {{c1::sanitize_text_field}} and {{c2::sanitize_email}}.
  5. WordPress CSRF protection commonly uses {{c1::nonces}} (e.g., wp_nonce_field, check_admin_referer).
  6. WordPress database safety commonly uses {{c1::$wpdb->prepare(…)}} to avoid SQL injection.

“Quick Gotchas” That Save Hours ⏱️

  1. Avoid short open tags <?—prefer {{c1::<?php}} for portability.
  2. After sending a redirect header, always {{c1::exit;}} to prevent further output/logic.
  3. strpos() can return {{c1::0}} (meaning “found at start”), so check with {{c2::!== false}}.
  4. Prefer strict comparisons ({{c1::===}}) when comparing against {{c2::0}}, {{c3::''}}, or {{c4::null}}.
  5. When using in_array, pass {{c1::true}} as the third argument to avoid unexpected type juggling.
  6. If you see unexpected output before headers, check for whitespace around {{c1::<?php}} or after {{c2::?>}}.

If you tell me your course focus (e.g., WordPress plugin dev, Laravel, raw PHP, PDO/MySQL, CLI scripting) and your PHP version, I can generate a second deck with more targeted clozes (e.g., namespaces/PSR-12, PHPUnit, HTTP forms, file uploads, or WP hooks).

Back to top