📋 PHP Cheat Sheet
A quick-reference guide to every essential PHP concept and function from this course. Bookmark this page and come back whenever you need a syntax reminder.
📑 Sections
PHP Basics
PHP Tags & Output
<?php
// Full PHP block
echo "Hello, World!"; // Output a string
print "Hello!"; // Similar to echo (returns 1)
?>
<?= $variable ?> <!-- Short echo tag (in HTML) -->
// Comments
// Single line
# Also single line
/* Multi-line
comment */
Variables & Constants
// Variables — always start with $
$name = "Ray";
$age = 30;
$price = 19.99;
$isActive = true;
$nothing = null;
// Constants — cannot be changed
define("SITE_NAME", "My App");
const MAX_USERS = 100;
// Use constants without $
echo SITE_NAME;
Data Types
// Scalar types
$string = "Hello"; // string
$int = 42; // int (integer)
$float = 3.14; // float (double)
$bool = true; // bool (boolean)
// Compound types
$array = [1, 2, 3]; // array
$obj = new stdClass(); // object
// Special types
$nothing = null; // null
// Type checking
gettype($var); // Returns type as string
is_string($var); // true/false
is_int($var);
is_array($var);
isset($var); // true if exists and not null
empty($var); // true if "", 0, null, false, []
// Type casting
$int = (int) "42"; // 42
$str = (string) 42; // "42"
$arr = (array) $object; // Object → array
Operators
Arithmetic & Assignment
// Arithmetic
$a + $b // Addition
$a - $b // Subtraction
$a * $b // Multiplication
$a / $b // Division
$a % $b // Modulus (remainder)
$a ** $b // Exponentiation
// Assignment shortcuts
$a += 5; // $a = $a + 5
$a -= 5; $a *= 5; $a /= 5; $a %= 5;
$a .= " more"; // String concatenation assignment
$a++; // Increment
$a--; // Decrement
Comparison & Logical
// Comparison
$a == $b // Equal (loose — type juggling)
$a === $b // Identical (strict — same type AND value)
$a != $b // Not equal (loose)
$a !== $b // Not identical (strict)
$a <=> $b // Spaceship: -1, 0, or 1
// Logical
$a && $b // AND
$a || $b // OR
!$a // NOT
// Special operators
$a ?? $b // Null coalescing: $a if not null, else $b
$a ??= $b // Null coalescing assignment
$a ? $b : $c // Ternary
$a ?: $b // Elvis: $a if truthy, else $b
Control Flow
// if / elseif / else
if ($score >= 90) {
echo "A";
} elseif ($score >= 80) {
echo "B";
} else {
echo "C";
}
// switch
switch ($color) {
case "red":
echo "Stop";
break;
case "green":
echo "Go";
break;
default:
echo "Unknown";
}
// match (PHP 8) — strict comparison, returns a value
$label = match ($status) {
'active' => 'Online',
'inactive' => 'Offline',
default => 'Unknown',
};
Loops
// for — when you know the count
for ($i = 0; $i < 10; $i++) {
echo $i;
}
// while — condition checked before each iteration
while ($condition) {
// ...
}
// do-while — runs at least once
do {
// ...
} while ($condition);
// foreach — best for arrays
foreach ($items as $item) {
echo $item;
}
foreach ($users as $key => $value) {
echo "$key: $value";
}
// Loop control
break; // Exit the loop
continue; // Skip to next iteration
break 2; // Exit 2 levels of nesting
Functions
// Basic function
function greet(string $name): string {
return "Hello, $name!";
}
// Default parameter values
function connect(string $host = "localhost", int $port = 3306): void {
// ...
}
// Variadic function (accepts unlimited args)
function sum(int ...$numbers): int {
return array_sum($numbers);
}
// Anonymous function (closure)
$double = function($n) {
return $n * 2;
};
echo $double(5); // 10
// Arrow function (PHP 7.4+)
$double = fn($n) => $n * 2;
// Closure with use
$greeting = "Hello";
$greet = function($name) use ($greeting) {
return "$greeting, $name!";
};
Arrays
// Indexed array
$fruits = ["apple", "banana", "cherry"];
echo $fruits[0]; // "apple"
// Associative array
$user = [
"name" => "Ray",
"email" => "ray@example.com",
"age" => 30,
];
echo $user["name"]; // "Ray"
// Multidimensional array
$matrix = [
[1, 2, 3],
[4, 5, 6],
];
echo $matrix[1][2]; // 6
// Adding elements
$fruits[] = "date"; // Append
$user["role"] = "admin"; // Add key
// Destructuring
[$a, $b, $c] = [10, 20, 30];
["name" => $name] = $user;
// Spread operator (PHP 7.4+)
$merged = [...$array1, ...$array2];
Array Functions
Searching & Checking
count($arr); // Number of elements
in_array("apple", $arr); // Check if value exists
array_key_exists("name", $arr);// Check if key exists
array_search("banana", $arr); // Find key of value (or false)
Transforming
// Map — apply function to each element
$doubled = array_map(fn($n) => $n * 2, $numbers);
// Filter — keep elements that pass a test
$adults = array_filter($ages, fn($age) => $age >= 18);
// Reduce — combine all elements into one value
$total = array_reduce($prices, fn($carry, $price) => $carry + $price, 0);
// Merge arrays
$combined = array_merge($arr1, $arr2);
// Extract keys or values
$keys = array_keys($assoc);
$values = array_values($assoc);
// Remove duplicates
$unique = array_unique($arr);
// Slice & splice
$slice = array_slice($arr, 1, 3); // Extract portion
array_splice($arr, 1, 2, ["new"]); // Remove & replace
Sorting
sort($arr); // Sort values ascending (reindexes)
rsort($arr); // Sort values descending
asort($arr); // Sort values ascending (preserves keys)
arsort($arr); // Sort values descending (preserves keys)
ksort($arr); // Sort by keys ascending
krsort($arr); // Sort by keys descending
usort($arr, fn($a, $b) => $a <=> $b); // Custom sort
String Functions
// Length & position
strlen($str); // String length
strpos($str, "needle"); // Find position (or false)
str_contains($str, "needle"); // PHP 8: true/false
str_starts_with($str, "Hello"); // PHP 8
str_ends_with($str, "World"); // PHP 8
// Extracting & replacing
substr($str, 0, 5); // First 5 characters
str_replace("old", "new", $str); // Replace all occurrences
str_ireplace("old", "new", $str); // Case-insensitive replace
// Case conversion
strtolower($str);
strtoupper($str);
ucfirst($str); // Capitalize first letter
ucwords($str); // Capitalize each word
// Trimming
trim($str); // Remove whitespace both ends
ltrim($str); // Left trim
rtrim($str); // Right trim
// Splitting & joining
explode(",", $str); // String → array
implode(", ", $arr); // Array → string
// Formatting
sprintf("Hello, %s! You are %d.", $name, $age);
number_format(1234567.89, 2); // "1,234,567.89"
// Multi-line strings
$text = <<Forms & Input
HTML Form → PHP Processing
// HTML form
// <form method="post" action="process.php">
// <input type="text" name="username">
// <input type="email" name="email">
// <button type="submit">Submit</button>
// </form>
// process.php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$username = $_POST['username'] ?? '';
$email = $_POST['email'] ?? '';
}
// GET data (from URL: ?search=php)
$search = $_GET['search'] ?? '';
// Check if form was submitted
if (isset($_POST['submit'])) { ... }
// Sticky form (re-fills values after submission)
// <input value="<?= htmlspecialchars($username) ?>">
Validation & Sanitization
// Validation — does the data meet the rules?
filter_var($email, FILTER_VALIDATE_EMAIL); // false if invalid
filter_var($url, FILTER_VALIDATE_URL);
filter_var($ip, FILTER_VALIDATE_IP);
filter_var($num, FILTER_VALIDATE_INT);
// Sanitization — clean the data
filter_var($str, FILTER_SANITIZE_SPECIAL_CHARS);
filter_var($email, FILTER_SANITIZE_EMAIL);
filter_var($url, FILTER_SANITIZE_URL);
filter_var($num, FILTER_SANITIZE_NUMBER_INT);
// htmlspecialchars — escape for HTML output
htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
// Basic regex validation
preg_match('/^[a-zA-Z0-9_]{3,20}$/', $username); // 1 if match
// Common validation pattern
$errors = [];
if (empty($name)) $errors[] = "Name is required.";
if (strlen($name) < 2) $errors[] = "Name must be at least 2 characters.";
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$errors[] = "Invalid email address.";
}
File Handling
// Simple read/write
$content = file_get_contents("data.txt");
file_put_contents("data.txt", $content); // Overwrite
file_put_contents("log.txt", $line, FILE_APPEND); // Append
// Manual file handling
$handle = fopen("data.txt", "r"); // r=read, w=write, a=append
$line = fgets($handle); // Read one line
$content = fread($handle, 1024); // Read bytes
fwrite($handle, "Hello\n");
fclose($handle);
// File info
file_exists("data.txt"); // true/false
is_file("data.txt"); // Is it a file (not dir)?
filesize("data.txt"); // Size in bytes
unlink("data.txt"); // Delete file
// Include other PHP files
include "header.php"; // Warning if missing
require "config.php"; // Fatal error if missing
include_once "functions.php"; // Skip if already loaded
require_once "database.php"; // Fatal + skip if loaded
// Reliable path with __DIR__
require __DIR__ . '/includes/config.php';
Superglobals
$_GET // URL query parameters
$_POST // Form POST data
$_REQUEST // GET + POST + COOKIE combined
$_FILES // Uploaded file information
$_COOKIE // Cookie values
$_SESSION // Session data
$_SERVER // Server & request info
$_ENV // Environment variables
// Useful $_SERVER values
$_SERVER['REQUEST_METHOD'] // "GET" or "POST"
$_SERVER['SCRIPT_NAME'] // Current script path
$_SERVER['HTTP_HOST'] // Domain name
$_SERVER['REMOTE_ADDR'] // Client IP address
$_SERVER['HTTP_USER_AGENT'] // Browser info
$_SERVER['DOCUMENT_ROOT'] // Web root path
Sessions & Cookies
Sessions
// Start session — MUST be first thing on every page
session_start();
// Set session data
$_SESSION['username'] = "Ray";
$_SESSION['role'] = "admin";
// Read session data
echo $_SESSION['username'];
// Check if session key exists
if (isset($_SESSION['username'])) { ... }
// Remove a key
unset($_SESSION['username']);
// Destroy entire session (logout)
session_start();
$_SESSION = [];
session_destroy();
// Regenerate ID (security — after login)
session_regenerate_id(true);
Cookies
// Set a cookie — must be before ANY output
setcookie("theme", "dark", time() + 86400, "/");
// name, value, expires (1 day), path
// Read a cookie (available on NEXT request)
$theme = $_COOKIE['theme'] ?? 'light';
// Delete a cookie — set expiry in the past
setcookie("theme", "", time() - 3600, "/");
// Secure cookie options (PHP 7.3+)
setcookie("token", $value, [
'expires' => time() + 86400,
'path' => '/',
'secure' => true, // HTTPS only
'httponly' => true, // No JavaScript access
'samesite' => 'Strict', // CSRF protection
]);
Object-Oriented PHP
Classes & Objects
class User {
// Properties
public string $name;
private string $email;
protected int $age;
public static int $count = 0;
// Constructor
public function __construct(string $name, string $email) {
$this->name = $name;
$this->email = $email;
self::$count++;
}
// Method
public function getEmail(): string {
return $this->email;
}
// Static method
public static function getCount(): int {
return self::$count;
}
}
// Create objects
$user = new User("Ray", "ray@example.com");
echo $user->name; // Access public property
echo $user->getEmail(); // Access via method
echo User::getCount(); // Call static method
Inheritance, Interfaces & Traits
// Inheritance
class Admin extends User {
public function __construct(string $name, string $email) {
parent::__construct($name, $email);
}
public function promote(): void { ... }
}
// Abstract class
abstract class Shape {
abstract public function area(): float;
}
// Interface
interface Printable {
public function toString(): string;
}
class Circle extends Shape implements Printable {
public function __construct(private float $radius) {}
public function area(): float { return M_PI * $this->radius ** 2; }
public function toString(): string { return "Circle(r={$this->radius})"; }
}
// Trait
trait Timestampable {
public string $createdAt;
public function setTimestamp(): void {
$this->createdAt = date('Y-m-d H:i:s');
}
}
class Post {
use Timestampable;
}
Error Handling
// try / catch / finally
try {
$result = riskyOperation();
} catch (InvalidArgumentException $e) {
echo "Bad input: " . $e->getMessage();
} catch (Exception $e) {
echo "Error: " . $e->getMessage();
} finally {
// Always runs (cleanup)
}
// Throw an exception
throw new Exception("Something went wrong");
throw new InvalidArgumentException("Age must be positive");
// Custom exception
class ValidationException extends Exception {
private array $errors;
public function __construct(array $errors) {
$this->errors = $errors;
parent::__construct("Validation failed");
}
public function getErrors(): array { return $this->errors; }
}
// Error reporting (development)
error_reporting(E_ALL);
ini_set('display_errors', 1);
PDO & Database
Connecting
$dsn = "mysql:host=localhost;dbname=mydb;charset=utf8mb4";
$pdo = new PDO($dsn, "username", "password", [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
]);
Prepared Statements (CRUD)
// SELECT (read)
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$id]);
$user = $stmt->fetch(); // One row
$users = $stmt->fetchAll(); // All rows
// Named placeholders
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email");
$stmt->execute(['email' => $email]);
// INSERT (create)
$stmt = $pdo->prepare("INSERT INTO users (name, email) VALUES (?, ?)");
$stmt->execute([$name, $email]);
$newId = $pdo->lastInsertId();
// UPDATE
$stmt = $pdo->prepare("UPDATE users SET name = ? WHERE id = ?");
$stmt->execute([$name, $id]);
$affected = $stmt->rowCount();
// DELETE
$stmt = $pdo->prepare("DELETE FROM users WHERE id = ?");
$stmt->execute([$id]);
Transactions
try {
$pdo->beginTransaction();
$stmt1 = $pdo->prepare("UPDATE accounts SET balance = balance - ? WHERE id = ?");
$stmt1->execute([100, $fromId]);
$stmt2 = $pdo->prepare("UPDATE accounts SET balance = balance + ? WHERE id = ?");
$stmt2->execute([100, $toId]);
$pdo->commit(); // All succeed
} catch (Exception $e) {
$pdo->rollBack(); // All fail — undo everything
throw $e;
}
Fetch Styles
$stmt->fetch(PDO::FETCH_ASSOC); // ['name' => 'Ray', ...]
$stmt->fetch(PDO::FETCH_NUM); // [0 => 'Ray', ...]
$stmt->fetch(PDO::FETCH_OBJ); // $row->name
$stmt->fetch(PDO::FETCH_BOTH); // Both assoc + numeric
$stmt->fetchColumn(); // Single column value
$stmt->fetchAll(PDO::FETCH_ASSOC); // Array of all rows
Security
Quick Security Checklist
// 1. SQL Injection — ALWAYS use prepared statements
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$id]);
// NEVER: "SELECT * FROM users WHERE id = $id"
// 2. XSS — ALWAYS escape output
echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
// 3. CSRF — use tokens in forms
// Generate:
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
// In form: <input type="hidden" name="csrf_token"
// value="<?= $_SESSION['csrf_token'] ?>">
// Verify:
if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Invalid CSRF token");
}
// 4. Passwords — hash, never store plain text
$hash = password_hash($password, PASSWORD_DEFAULT);
// Verify:
if (password_verify($inputPassword, $storedHash)) {
echo "Login successful!";
}
// 5. File uploads — validate type and size
$allowed = ['image/jpeg', 'image/png', 'image/gif'];
if (!in_array($_FILES['file']['type'], $allowed)) {
die("Invalid file type");
}