What is PHP?

PHP (recursive acronym for "PHP: Hypertext Preprocessor") is a widely-used Open Source general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.

Simple answer, but what does that mean? An example:

Příklad 1-1. An introductory example <html> <head> <title>Example</title> </head> <body> <?php echo "Hi, I'm a PHP script!"; ?> </body> </html>

Notice how this is different from a script written in other languages like Perl or C -- instead of writing a program with lots of commands to output HTML, you write an HTML script with some embedded code to do something (in this case, output some text). The PHP code is enclosed in special start and end tags that allow you to jump into and out of "PHP mode".

What distinguishes PHP from something like client-side JavaScript is that the code is executed on the server. If you were to have a script similar to the above on your server, the client would receive the results of running that script, with no way of determining what the underlying code may be. You can even configure your web server to process all your HTML files with PHP, and then there's really no way that users can tell what you have up your sleeve.

The best things in using PHP are that it is extremely simple for a newcomer, but offers many advanced features for a professional programmer. Don't be afraid reading the long list of PHP's features. You can jump in, in a short time, and start writing simple scripts in a few hours.

Although PHP's development is focused on server-side scripting, you can do much more with it. Read on, and see more in the What can PHP do? section.

What can PHP do?

Anything. PHP is mainly focused on server-side scripting, so you can do anything any other CGI program can do, such as collect form data, generate dynamic page content, or send and receive cookies. But PHP can do much more.

There are three main fields where PHP scripts are used.

• Server-side scripting. This is the most traditional and main target field for PHP. You need three things to make this work. The PHP parser (CGI or server module), a webserver and a web browser. You need to run the webserver, with a connected PHP installation. You can access the PHP program output with a web browser, viewing the PHP page through the server. See the installation instructions section for more information.

• Command line scripting. You can make a PHP script to run it without any server or browser. You only need the PHP parser to use it this way. This type of usage is ideal for scripts regularly executed using cron (on *nix or Linux) or Task Scheduler (on Windows). These scripts can also be used for simple text processing tasks. See the section about Command line usage of PHP for more information.

• Writing client-side GUI applications. PHP is probably not the very best language to write windowing applications, but if you know PHP very well, and would like to use some advanced PHP features in your client-side applications you can also use PHP-GTK to write such programs. You also have the ability to write cross-platform applications this way. PHP-GTK is an extension to PHP, not available in the main distribution. If you are interested in PHP-GTK, visit it's own website.

PHP can be used on all major operating systems, including Linux, many Unix variants (including HP-UX, Solaris and OpenBSD), Microsoft Windows, Mac OS X, RISC OS, and probably others. PHP has also support for most of the web servers today. This includes Apache, Microsoft Internet Information Server, Personal Web Server, Netscape and iPlanet servers, Oreilly Website Pro server, Caudium, Xitami, OmniHTTPd, and many others. For the majority of the servers PHP has a module, for the others supporting the CGI standard, PHP can work as a CGI processor.

So with PHP, you have the freedom of choosing an operating system and a web server. Furthermore, you also have the choice of using procedural programming or object oriented programming, or a mixture of them. Although not every standard OOP feature is realized in the current version of PHP, many code libraries and large applications (including the PEAR library) are written only using OOP code.

With PHP you are not limited to output HTML. PHP's abilities includes outputting images, PDF files and even Flash movies (using libswf and Ming) generated on the fly. You can also output easily any text, such as XHTML and any other XML file. PHP can autogenerate these files, and save them in the file system, instead of printing it out, forming a server-side cache for your dynamic content.

One of the strongest and most significant feature in PHP is its support for a wide range of databases. Writing a database-enabled web page is incredibly simple. The following databases are currently supported:

Adabas D	Ingres	Oracle (OCI7 and OCI8)
dBase	InterBase	Ovrimos
Empress	FrontBase	PostgreSQL
FilePro (read-only)	mSQL	Solid
Hyperwave	Direct MS-SQL	Sybase
IBM DB2	MySQL	Velocis
Informix	ODBC	Unix dbm

PHP also has support for talking to other services using protocols such as LDAP, IMAP, SNMP, NNTP, POP3, HTTP, COM (on Windows) and countless others. You can also open raw network sockets and interact using any other protocol. PHP has support for the WDDX complex data exchange between virtually all Web programming languages. Talking about interconnection, PHP has support for instantiation of Java objects and using them transparently as PHP objects. You can also use our CORBA extension to access remote objects.

PHP has extremely useful text processing features, from the POSIX Extended or Perl regular expressions to parsing XML documents. For parsing and accessing XML documents, we support the SAX and DOM standards. You can use our XSLT extension to transform XML documents.

While using PHP in the ecommerce field, you'll find the Cybercash payment, CyberMUT, VeriSign Payflow Pro and CCVS functions useful for your online payment programs.

At last but not least, we have many other interesting extensions, the mnoGoSearch search engine functions, the IRC Gateway functions, many compression utilities (gzip, bz2), calendar conversion, translation...

As you can see this page is not enough to list all the features and benefits PHP can offer. Read on in the sections about installing PHP, and see the function reference part for explanation of the extensions mentioned here.

What do I need?

In this tutorial we assume that your server has support for PHP activated and that all files ending in .php are handled by PHP. On most servers this is the default extension for PHP files, but ask your server administrator to be sure. If your server supports PHP then you don't need to do anything. Just create your .php files and put them in your web directory and the server will magically parse them for you. There is no need to compile anything nor do you need to install any extra tools. Think of these PHP-enabled files as simple HTML files with a whole new family of magical tags that let you do all sorts of things.

Your first PHP-enabled page

Create a file named hello.php under your webserver root directory with the following content:

Příklad 2-1. Our first PHP script: hello.php <html> <head> <title>PHP Test</title> </head> <body> <?php echo "Hello World<p>"; ?> </body> </html> The output of this script will be: <html> <head> <title>PHP Test</title> </head> <body> Hello World<p> </body> </html>

Note that this is not like a CGI script. The file does not need to be executable or special in any way. Think of it as a normal HTML file which happens to have a set of special tags available to you that do a lot of interesting things.

This program is extremely simple and you really didn't need to use PHP to create a page like this. All it does is display: Hello World using the PHP echo() statement.

If you tried this example and it didn't output anything, or it prompted for download, or you see the whole file as text, chances are that the server you are on does not have PHP enabled. Ask your administrator to enable it for you using the Installation chapter of the manual. If you want to develop PHP scripts locally, see the downloads section. You can develop locally on any Operating system, be sure to install an appropriate web server too.

The point of the example is to show the special PHP tag format. In this example we used <?php to indicate the start of a PHP tag. Then we put the PHP statement and left PHP mode by adding the closing tag, ?>. You may jump in and out of PHP mode in an HTML file like this all you want.

Something Useful

Let's do something a bit more useful now. We are going to check what sort of browser the person viewing the page is using. In order to do that we check the user agent string that the browser sends as part of its HTTP request. This information is stored in a variable. Variables always start with a dollar-sign in PHP. The variable we are interested in right now is $_SERVER["HTTP_USER_AGENT"].

To display this variable, we can simply do:

Příklad 2-2. Printing a variable (Array element) <?php echo $_SERVER["HTTP_USER_AGENT"]; ?> A sample output of this script may be: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

There are many types of variables available in PHP. In the above example we printed an Array element. Arrays can be very useful.

$_SERVER is just one variable that's automatically made available to you by PHP. A list can be seen in the Reserved Variables section of the manual or you can get a complete list of them by creating a file that looks like this:

Příklad 2-3. Show all predefined variables with phpinfo() <?php phpinfo(); ?>

If you load up this file in your browser you will see a page full of information about PHP along with a list of all the variables available to you.

You can put multiple PHP statements inside a PHP tag and create little blocks of code that do more than just a single echo. For example, if we wanted to check for Internet Explorer we could do something like this:

Příklad 2-4. Example using control structures and functions <?php if (strstr($_SERVER["HTTP_USER_AGENT"], "MSIE")) { echo "You are using Internet Explorer<br />"; } ?> A sample output of this script may be: You are using Internet Explorer<br />

Here we introduce a couple of new concepts. We have an if statement. If you are familiar with the basic syntax used by the C language this should look logical to you. If you don't know enough C or some other language where the syntax used above is used, you should probably pick up any introductory PHP book and read the first couple of chapters, or read the Language Reference part of the manual. You can find a list of PHP books at http://www.php.net/books.php.

The second concept we introduced was the strstr() function call. strstr() is a function built into PHP which searches a string for another string. In this case we are looking for "MSIE" inside $_SERVER["HTTP_USER_AGENT"]. If the string is found, the function returns TRUE and if it isn't, it returns FALSE. If it returns TRUE, the if statement evaluates to TRUE and the code within its {braces} is executed. Otherwise, it's not. Feel free to create similar examples, with if, else, and other functions such as strtoupper() and strlen(). Each related manual page contains examples too.

We can take this a step further and show how you can jump in and out of PHP mode even in the middle of a PHP block:

Příklad 2-5. Mixing both HTML and PHP modes <?php if (strstr($_SERVER["HTTP_USER_AGENT"], "MSIE")) { ?> <h3>strstr must have returned true</h3> <center><b>You are using Internet Explorer</b></center> <?php } else { ?> <h3>strstr must have returned false</h3> <center><b>You are not using Internet Explorer</b></center> <?php } ?> A sample output of this script may be: <h3>strstr must have returned true</h3> <center><b>You are using Internet Explorer</b></center>

Instead of using a PHP echo statement to output something, we jumped out of PHP mode and just sent straight HTML. The important and powerful point to note here is that the logical flow of the script remains intact. Only one of the HTML blocks will end up getting sent to the viewer depending on if strstr() returned TRUE or FALSE In other words, if the string MSIE was found or not.

Dealing with Forms

One of the most powerful features of PHP is the way it handles HTML forms. The basic concept that is important to understand is that any form element in a form will automatically be available to your PHP scripts. Please read the manual section on Variables from outside of PHP for more information and examples on using forms with PHP. Here's an example HTML form:

Příklad 2-6. A simple HTML form <form action="action.php" method="POST"> Your name: <input type="text" name="name" /> Your age: <input type="text" name="age" /> <input type="submit"> </form>

There is nothing special about this form. It is a straight HTML form with no special tags of any kind. When the user fills in this form and hits the submit button, the action.php page is called. In this file you would have something like this:

Příklad 2-7. Printing data from our form Hi <?php echo $_POST["name"]; ?>. You are <?php echo $_POST["age"]; ?> years old. A sample output of this script may be: Hi Joe. You are 22 years old.

It should be obvious what this does. There is nothing more to it. The $_POST["name"] and $_POST["age"] variables are automatically set for you by PHP. Earlier we used the $_SERVER autoglobal, now above we just introduced the $_POST autoglobal which contains all POST data. Notice how the method of our form is POST. If we used the method GET then our form information would live in the $_GET autoglobal instead. You may also use the $_REQUEST autoglobal if you don't care the source of your request data. It contains a mix of GET, POST, COOKIE and FILE data. See also the import_request_variables() function.

Using old code with new versions of PHP

Now that PHP has grown to be a popular scripting language, there are more resources out there that have listings of code you can reuse in your own scripts. For the most part the developers of the PHP language have tried to be backwards compatible, so a script written for an older version should run (ideally) without changes in a newer version of PHP, in practice some changes will usually be needed.

Two of the most important recent changes that affect old code are:

• The deprecation of the old $HTTP_*_VARS arrays (which need to be indicated as global when used inside a function or method). The following autoglobal arrays were introduced in PHP 4.1.0. They are: $_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_REQUEST, and $_SESSION. The older $HTTP_*_VARS arrays, such as $HTTP_POST_VARS, still exist and have since PHP 3.

• External variables are no longer registered in the global scope by default. In other words, as of PHP 4.2.0 the PHP directive register_globals is off by default in php.ini. The preferred method of accessing these values is via the autoglobal arrays mentioned above. Older scripts, books, and tutorials may rely on this directive being on. If on, for example, one could use $id from the URL http://www.example.com/foo.php?id=42. Whether on or off, $_GET['id'] is available.

What's next?

With what you know now you should be able to understand most of the manual and also the various example scripts available in the example archives. You can also find other examples on the php.net websites in the links section: http://www.php.net/links.php.

General Installation Considerations

Before installing first, you need to know what do you want to use PHP for. There are three main fields you can use PHP, as described in the What can PHP do? section:

• Server-side scripting

• Command line scripting

• Client-side GUI applications

For the first and most common form, you need three things: PHP itself, a web server and a web browser. You probably already have a web browser, and depending on your operating system setup, you may also have a web server (eg. Apache on Linux or IIS on Windows). You may also rent webspace at a company. This way, you don't need to set up anything on your own, only write your PHP scripts, upload it to the server you rent, and see the results in your browser. You can find a list of hosting companies at http://hosts.php.net/.

While setting up the server and PHP on your own, you have two choices for the method of connecting PHP to the server. For many servers PHP has a direct module interface (also called SAPI). These servers include Apache, Microsoft Internet Information Server, Netscape and iPlanet servers. Many other servers have support for ISAPI, the Microsoft module interface (OmniHTTPd for example). If PHP has no module support for your web server, you can always use it as a CGI processor. This means you set up your server to use the command line executable of PHP (php.exe on Windows) to process all PHP file requests on the server.

If you are also interested to use PHP for command line scripting (eg. write scripts autogenerating some images for you offline, or processing text files depending on some arguments you pass to them), you always need the command line executable. For more information, read the section about writing command line PHP applications. In this case, you need no server and no browser.

With PHP you can also write client side GUI applications using the PHP-GTK extension. This is a completely different approach than writing web pages, as you do not output any HTML, but manage windows and objects within them. For more information about PHP-GTK, please visit the site dedicated to this extension. PHP-GTK is not included in the official PHP distribution.

From now on, this section deals with setting up PHP for web servers on Unix and Windows with server module interfaces and CGI executables.

Downloading PHP, the source code, and binary distributions for Windows can be found at http://www.php.net/. We recommend you to choose a mirror nearest to you for downloading the distributions.

Unix/HP-UX installs

This section contains notes and hints specific to installing PHP on HP-UX systems.

From: paul_mckay@clearwater-it.co.uk
04-Jan-2001 09:49
(These tips are for PHP 4.0.4 and Apache v1.3.9) 

So you want to install PHP and Apache on a HP-UX 10.20 box? 

1. You need gzip, download a binary distribution from
http://hpux.connect.org.uk/ftp/hpux/Gnu/gzip-1.2.4a/gzip-1.2.4a-sd-10.20.depot.Z
uncompress the file and install using swinstall 

2. You need gcc, download a binary distribution from 
http://gatekeep.cs.utah.edu/ftp/hpux/Gnu/gcc-2.95.2/gcc-2.95.2-sd-10.20.depot.gz 
gunzip this file and install gcc using swinstall. 

3. You need the GNU binutils, you can download a binary distribution from 
http://hpux.connect.org.uk/ftp/hpux/Gnu/binutils-2.9.1/binutils-2.9.1-sd-10.20.depot.gz 
gunzip and install using swinstall. 

4. You now need bison, you can download a binary distribution from 
http://hpux.connect.org.uk/ftp/hpux/Gnu/bison-1.28/bison-1.28-sd-10.20.depot.gz 
install as above. 

5. You now need flex, you need to download the source from one of the
http://www.gnu.org mirrors. It is in the <filename>non-gnu</filename> directory of the ftp site. 
Download the file, gunzip, then tar -xvf it. Go into the newly created flex
directory and do a ./configure, then a make, and then a make install 

If you have errors here, it's probably because gcc etc. are not in your
PATH so add them to your PATH. 

Right, now into the hard stuff. 

6. Download the PHP and apache sources. 

7. gunzip and tar -xvf them. 

We need to hack a couple of files so that they can compile ok. 

8. Firstly the configure file needs to be hacked because it seems to lose
track of the fact that you are a hpux machine, there will be a
better way of doing this but a cheap and cheerful hack is to put 
    lt_target=hpux10.20 
on line 47286 of the configure script. 

9. Next, the Apache GuessOS file needs to be hacked. Under
apache_1.3.9/src/helpers change line 89 from 
    "echo "hp${HPUXMACH}-hpux${HPUXVER}"; exit 0" 
to: 
    "echo "hp${HPUXMACH}-hp-hpux${HPUXVER}"; exit 0" 
    
10. You cannot install PHP as a shared object under HP-UX so you must compile
it as a static, just follow the instructions at the Apache page. 

11. PHP and apache should have compiled OK, but Apache won't start. you need
to create a new user for Apache, eg www, or apache. You then change lines 252
and 253 of the conf/httpd.conf in Apache so that instead of 
    User nobody 
    Group nogroup 
you have something like 
    User www 
    Group sys 

This is because you can't run Apache as nobody under hp-ux. 
Apache and PHP should then work. 

Hope this helps somebody,
Paul Mckay.

Unix/Linux installs

This section contains notes and hints specific to installing PHP on Linux distributions.

Unix/Mac OS X installs

This section contains notes and hints specific to installing PHP on Mac OS X Server.

1. Get the latest distributions of Apache and PHP
2. Untar them, and run the configure program on Apache like so.
    ./configure --exec-prefix=/usr \ 
    --localstatedir=/var \ 
    --mandir=/usr/share/man \ 
    --libexecdir=/System/Library/Apache/Modules \ 
    --iconsdir=/System/Library/Apache/Icons \ 
    --includedir=/System/Library/Frameworks/Apache.framework/Versions/1.3/Headers \ 
    --enable-shared=max \ 
    --enable-module=most \ 
    --target=apache 

4. You may also want to add this line: 
    setenv OPTIM=-O2 
    If you want the compiler to do some optimization. 
    
5. Next, go to the PHP 4 source directory and configure it. 
    ./configure --prefix=/usr \ 
    --sysconfdir=/etc \ 
    --localstatedir=/var \ 
    --mandir=/usr/share/man \ 
    --with-xml \ 
    --with-apache=/src/apache_1.3.12 

    If you have any other additions (MySQL, GD, etc.), be sure to add
    them here. For the --with-apache string, put in the path to your 
    apache source directory, for example "/src/apache_1.3.12". 
6. make
7. make install    
    This will add a directory to your Apache source directory under
    src/modules/php4.
    
8. Now, reconfigure Apache to build in PHP 4.
    ./configure --exec-prefix=/usr \ 
    --localstatedir=/var \ 
    --mandir=/usr/share/man \ 
    --libexecdir=/System/Library/Apache/Modules \ 
    --iconsdir=/System/Library/Apache/Icons \ 
    --includedir=/System/Library/Frameworks/Apache.framework/Versions/1.3/Headers \ 
    --enable-shared=max \ 
    --enable-module=most \ 
    --target=apache \ 
    --activate-module=src/modules/php4/libphp4.a 

    You may get a message telling you that libmodphp4.a is out of date.
    If so, go to the src/modules/php4 directory inside your apache
    source directory and run this command: 

    ranlib libmodphp4.a 

    Then go back to the root of the apache source directory and run the
    above configure command again. That'll bring the link table up to
    date. 

9. make

10. make install

11. copy and rename the php.ini-dist file to your "bin" directory from your
    PHP 4 source directory:
    cp php.ini-dist /usr/local/bin/php.ini 

    or (if your don't have a local directory) 

    cp php.ini-dist /usr/bin/php.ini

#AddType application/x-httpd-php .php 
   #AddType application/x-httpd-php-source .phps

Unix/OpenBSD installs

This section contains notes and hints specific to installing PHP on OpenBSD.

$ cd /usr/ports/www/php4
$ make show VARNAME=FLAVORS
 (choose which flavors you want from the list)
$ env FLAVOR="imap gettext ldap mysql gd" make install
$ /usr/local/sbin/php4-enable

Unix/Solaris installs

This section contains notes and hints specific to installing PHP on Solaris systems.

Installation on UNIX systems

This section will guide you through the general configuration and installation of PHP on Unix systems. Be sure to investigate any sections specific to your platform or web server before you begin the process.

Prerequisite knowledge and software:

• Basic UNIX skills (being able to operate "make" and a C compiler, if compiling)

• An ANSI C compiler (if compiling)

• flex (for compiling)

• bison (for compiling)

• A web server

• Any module specific components (such as gd, pdf libs, etc.)

There are several ways to install PHP for the Unix platform, either with a compile and configure process, or through various pre-packaged methods. This documentation is mainly focused around the process of compiling and configuring PHP.

The initial PHP setup and configuration process is controlled by the use of the commandline options of the configure script. This page outlines the usage of the most common options, but there are many others to play with. Check out the Complete list of configure options for an exhaustive rundown. There are several ways to install PHP:

• As an Apache module

• As an fhttpd module

• For use with AOLServer, NSAPI, phttpd, Pi3Web, Roxen, thttpd, or Zeus.

• As a CGI executable

1.  gunzip apache_1.3.x.tar.gz
2.  tar xvf apache_1.3.x.tar
3.  gunzip php-x.x.x.tar.gz
4.  tar xvf php-x.x.x.tar
5.  cd apache_1.3.x
6.  ./configure --prefix=/www
7.  cd ../php-x.x.x
8.  ./configure --with-mysql --with-apache=../apache_1.3.x --enable-track-vars
9.  make
10. make install
11. cd ../apache_1.3.x
12. ./configure --activate-module=src/modules/php4/libphp4.a
13. make
14. make install
15. cd ../php-x.x.x
16. cp php.ini-dist /usr/local/lib/php.ini
17. Edit your httpd.conf or srm.conf file and add: 
      AddType application/x-httpd-php .php

18. Use your normal procedure for restarting the Apache server. (You must
    stop and restart the server, not just cause the server to reload by
    use a HUP or USR1 signal.)

Installation on Windows systems

This section applies to Windows 95/98/Me and Windows NT/2000/XP. Do not expect PHP to work on 16 bit platforms such as Windows 3.1. Sometimes we refer to the supported Windows platforms as Win32.

There are two main ways to install PHP for Windows: either manually or by using the InstallShield installer.

If you have Microsoft Visual Studio, you can also build PHP from the original source code.

Once you have PHP installed on your Windows system, you may also want to load various extensions for added functionality.

Servers-CGI/Commandline

The default is to build PHP as a CGI program. This creates a commandline interpreter, which can be used for CGI processing, or for non-web-related PHP scripting. If you are running a web server PHP has module support for, you should generally go for that solution for performance reasons. However, the CGI version enables Apache users to run different PHP-enabled pages under different user-ids. Please make sure you read through the Security chapter if you are going to run PHP as a CGI.

Servers-Apache

This section contains notes and hints specific to Apache installs of PHP, both for Unix and Windows versions.

1.  gunzip apache_xxx.tar.gz
2.  tar -xvf apache_xxx.tar
3.  gunzip php-xxx.tar.gz
4.  tar -xvf php-xxx.tar
5.  cd apache_xxx
6.  ./configure --prefix=/www --enable-module=so
7.  make
8.  make install
9.  cd ../php-xxx
10. ./configure --with-mysql --with-apxs=/www/bin/apxs
11. make
12. make install

  If you decide to change your configure options after installation
  you only need to repeat the last three steps. You only need to 
  restart apache for the new module to take effect. A recompile of
  Apache is not needed.

11. cp php.ini-dist /usr/local/lib/php.ini

  You can edit your .ini file to set PHP options.  If
  you prefer this file in another location, use
  --with-config-file-path=/path in step 8.

12. Edit your httpd.conf or srm.conf file and check that these lines are
    present and not commented out:
  
   AddType application/x-httpd-php .php

   LoadModule php4_module        libexec/libphp4.so
 
  You can choose any extension you wish here.  .php is simply the one
  we suggest. You can even include .html, and .php3 can be added for 
  backwards compatibility.
 
  The path on the right hand side of the LoadModule statement must point
  to the path of the PHP module on your system. The above statement is 
  correct for the steps shown above.


13. Use your normal procedure for starting the Apache server. (You must
    stop and restart the server, not just cause the server to reload by
    use a HUP or USR1 signal.)

1. Several Linux and SysV variants:
/etc/rc.d/init.d/httpd restart

2. Using apachectl scripts:
/path/to/apachectl stop
/path/to/apachectl start

3. httpdctl and httpsdctl (Using OpenSSL), similar to apachectl:
/path/to/httpsdctl stop
/path/to/httpsdctl start

4. Using mod_ssl, or another SSL server, you may want to manually
stop and start:
/path/to/apachectl stop
/path/to/apachectl startssl

./configure --with-apxs --with-pgsql

./configure --with-apxs --with-pgsql=shared

./configure --with-apache=/path/to/apache_source --with-pgsql

./configure --with-apache=/path/to/apache_source --with-pgsql=shared

Servers-Caudium

PHP 4 can be built as a Pike module for the Caudium webserver. Note that this is not supported with PHP 3. Follow the simple instructions below to install PHP 4 for Caudium.

1.  Make sure you have Caudium installed prior to attempting to
    install PHP 4. For PHP 4 to work correctly, you will need Pike
    7.0.268 or newer. For the sake of this example we assume that
    Caudium is installed in /opt/caudium/server/.
2.  Change directory to php-x.y.z (where x.y.z is the version number).
3.  ./configure --with-caudium=/opt/caudium/server
4.  make
5.  make install
6.  Restart Caudium if it's currently running.
7.  Log into the graphical configuration interface and go to the
    virtual server where you want to add PHP 4 support.
8.  Click Add Module and locate and then add the PHP 4 Script Support module.
9.  If the documentation says that the 'PHP 4 interpreter isn't
    available', make sure that you restarted the server. If you did
    check /opt/caudium/logs/debug/default.1 for any errors related to
    <filename>PHP4.so</filename>. Also make sure that 
    <filename>caudium/server/lib/[pike-version]/PHP4.so</filename>
    is present.
10. Configure the PHP Script Support module if needed.

You can of course compile your Caudium module with support for the various extensions available in PHP 4. See the complete list of configure options for an exhaustive rundown.

Servers-fhttpd

To build PHP as an fhttpd module, answer "yes" to "Build as an fhttpd module?" (the --with-fhttpd=DIR option to configure) and specify the fhttpd source base directory. The default directory is /usr/local/src/fhttpd. If you are running fhttpd, building PHP as a module will give better performance, more control and remote execution capability.

Servers-IIS/PWS

This section contains notes and hints specific to IIS (Microsoft Internet Information Server). Installing PHP for PWS/IIS 3, PWS 4 or newer and IIS 4 or newer versions.

Servers-Netscape and iPlanet

This section contains notes and hints specific to Netscape and iPlanet installs of PHP, both for Sun Solaris and Windows versions.

You can find more information about setting up PHP for the Netscape Enterprise Server here: http://benoit.noss.free.fr/php/install-php4.html

Configuration Instructions for Netscape Enterprise Server
From: bhager@invacare.com

1. Add the following line to mime.types:
    type=magnus-internal/x-httpd-php exts=php

2. Add the following to obj.conf, shlib will vary depending on
    your OS, for unix it will be something like
    /opt/netscape/suitespot/bin/libphp4.so.

    You should place the following lines after mime types init.
    Init fn="load-modules" funcs="php4_init,php4_close,php4_execute,php4_auth_trans" shlib="/php4/nsapiPHP4.dll"
    Init fn=php4_init errorString="Failed to initialize PHP!"

    <object name="default">
    . 
    . 
    . 
    .#NOTE this next line should happen after all 'ObjectType' and before all 'AddLog' lines 
    Service fn="php4_execute" type="magnus-internal/x-httpd-php" 
    . 
    . 
    </Object>


    <Object name="x-httpd-php"> 
    ObjectType fn="force-type" type="magnus-internal/x-httpd-php" 
    Service fn=php4_execute 
    </Object> 


    Authentication configuration 

    PHP authentication cannot be used with any other authentication. ALL AUTHENTICATION IS 
    PASSED TO YOUR PHP SCRIPT. To configure PHP Authentication for the entire server, add 
    the following line: 

    <Object name="default"> 
    AuthTrans fn=php4_auth_trans 
    . 
    . 
    . 
    . 
    </Object> 

    To use PHP Authentication on a single directory, add the following: 

    <Object ppath="d:\path\to\authenticated\dir\*"> 
    AuthTrans fn=php4_auth_trans 
    </Object>

Place these lines after the mime types init, and everything else is similar
to the example configuration above.
From: Graeme Hoose (GraemeHoose@BrightStation.com)

Init fn="load-modules" shlib="/path/to/server4/bin/libphp4.so" funcs="php4_init,php4_close,php4_execute,php4_auth_trans"
Init fn="php4_init" LateInit="yes"

Servers-OmniHTTPd Server

This section contains notes and hints specific to OmniHTTPd.

Servers-Oreilly Website Pro

This section contains notes and hints specific to Oreilly Website Pro.

Servers-Xitami

This section contains notes and hints specific to Xitami.

Servers-Other web servers

PHP can be built to support a large number of web servers. Please see Server-related options for a full list of server-related configure options. The PHP CGI binaries are compatible with almost all webservers supporting the CGI standard.

Problems?

Complete list of configure options

The following is a complete list of options supported by PHP 4 configure scripts (as of 4.1.0), used when compiling in Unix-like environments. Some are available in PHP 3, some in PHP 4, and some in both. This is not noted yet.

• Database

• Graphics

• Miscellaneous

• PHP Behaviour

• Server

• XML

The configuration file

The configuration file (called php3.ini in PHP 3.0, and simply php.ini as of PHP 4.0) is read when PHP starts up. For the server module versions of PHP, this happens only once when the web server is started. For the CGI and CLI version, it happens on every invocation.

The default location of php.ini is a compile time option (see the FAQ entry), but can be changed for the CGI and CLI version with the -c command line switch, see the chapter about using PHP from the command line. You can also use the environment variable PHPRC for an additionaly path to search for php.ini.

Not every PHP directive is documented below. For a list of all directives, please read your well commented php.ini file. You may want to view the latest php.ini here from CVS.

Příklad 4-1. php.ini example ; any text on a line after an unquoted semicolon (;) is ignored [php] ; section markers (text within square brackets) are also ignored ; Boolean values can be set to either: ; true, on, yes ; or false, off, no, none register_globals = off magic_quotes_gpc = yes ; you can enclose strings in double-quotes include_path = ".:/usr/local/lib/php" ; backslashes are treated the same as any other character include_path = ".;c:\php\lib"

When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files and .htaccess files (You will need "AllowOverride Options" or "AllowOverride All" privileges)

With PHP 3.0, there are Apache directives that correspond to each configuration setting in the php3.ini name, except the name is prefixed by "php3_".

With PHP 4.0, there are several Apache directives that allow you to change the PHP configuration from within the Apache configuration file itself.

Příklad 4-2. Apache configuration example <IfModule mod_php4.c> php_value include_path ".:/usr/local/lib/php" php_flag safe_mode on </IfModule> <IfModule mod_php3.c> php3_include_path ".:/usr/local/lib/php" php3_safe_mode on </IfModule>

You can view the settings of the configuration values in the output of phpinfo(). You can also access the values of individual configuration settings using ini_get() or get_cfg_var().

General considerations

A completely secure system is a virtual impossibility, so an approach often used in the security profession is one of balancing risk and usability. If every variable submitted by a user required two forms of biometric validation (such as a retinal scan and a fingerprint), you would have an extremely high level of accountability. It would also take half an hour to fill out a fairly complex form, which would tend to encourage users to find ways of bypassing the security.

The best security is often inobtrusive enough to suit the requirements without the user being prevented from accomplishing their work, or over-burdening the code author with excessive complexity. Indeed, some security attacks are merely exploits of this kind of overly built security, which tends to erode over time.

A phrase worth remembering: A system is only as good as the weakest link in a chain. If all transactions are heavily logged based on time, location, transaction type, etc. but the user is only verified based on a single cookie, the validity of tying the users to the transaction log is severely weakened.

When testing, keep in mind that you will not be able to test all possibilities for even the simplest of pages. The input you may expect will be completely unrelated to the input given by a disgruntled employee, a cracker with months of time on their hands, or a housecat walking across the keyboard. This is why it's best to look at the code from a logical perspective, to discern where unexpected data can be introduced, and then follow how it is modified, reduced, or amplified.

The Internet is filled with people trying to make a name for themselves by breaking your code, crashing your site, posting inappropriate content, and otherwise making your day interesting. It doesn't matter if you have a small or large site, you are a target by simply being online, by having a server that can be connected to. Many cracking programs do not discern by size, they simply trawl massive IP blocks looking for victims. Try not to become one.

Installed as CGI binary

Action php-script /cgi-bin/php
AddHandler php-script .php

#!/usr/local/bin/php

Installed as an Apache module

When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessable to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.

Often, once security is established to the point where the PHP user (in this case, the apache user) has very little risk attached to it, it is discovered that PHP is now prevented from writing any files to user directories. Or perhaps it has been prevented from accessing or changing databases. It has equally been secured from writing good and bad files, or entering good and bad database transactions.

A frequent security mistake made at this point is to allow apache root permissions, or to escalate apache's abilitites in some other way.

Escalating the Apache user's permissions to root is extremely dangerous and may compromise the entire system, so sudo'ing, chroot'ing, or otherwise running as root should not be considered by those who are not security professionals.

There are some simpler solutions. By using open_basedir you can control and restrict what directories are allowed to be used for PHP. You can also set up apache-only areas, to restrict all web based activity to non-user, or non-system, files.

Filesystem Security

PHP is subject to the security built into most server systems with respect to permissions on a file and directory basis. This allows you to control which files in the filesystem may be read. Care should be taken with any files which are world readable to ensure that they are safe for reading by all users who have access to that filesystem.

Since PHP was designed to allow user level access to the filesystem, it's entirely possible to write a PHP script that will allow you to read system files such as /etc/passwd, modify your ethernet connections, send massive printer jobs out, etc. This has some obvious implications, in that you need to ensure that the files that you read from and write to are the appropriate ones.

Consider the following script, where a user indicates that they'd like to delete a file in their home directory. This assumes a situation where a PHP web interface is regularly used for file management, so the Apache user is allowed to delete files in the user home directories.

Příklad 5-1. Poor variable checking leads to.... <?php // remove a file from the user's home directory $username = $_POST['user_submitted_name']; $homedir = "/home/$username"; $file_to_delete = "$userfile"; unlink ($homedir/$userfile); echo "$file_to_delete has been deleted!"; ?>

Since the username is postable from a user form, they can submit a username and file belonging to someone else, and delete files. In this case, you'd want to use some other form of authentication. Consider what could happen if the variables submitted were "../etc/" and "passwd". The code would then effectively read:

Příklad 5-2. ... A filesystem attack <?php // removes a file from anywhere on the hard drive that // the PHP user has access to. If PHP has root access: $username = "../etc/"; $homedir = "/home/../etc/"; $file_to_delete = "passwd"; unlink ("/home/../etc/passwd"); echo "/home/../etc/passwd has been deleted!"; ?>

There are two important measures you should take to prevent these issues.

• Only allow limited permissions to the PHP web user binary.

• Check all variables which are submitted.

<?php
// removes a file from the hard drive that
// the PHP user has access to.
$username = $_SERVER['REMOTE_USER']; // using an authentication mechanisim

$homedir = "/home/$username";

$file_to_delete = basename("$userfile"); // strip paths
unlink ($homedir/$file_to_delete);

$fp = fopen("/home/logging/filedelete.log","+a"); //log the deletion
$logstring = "$username $homedir $file_to_delete";
fputs ($fp, $logstring);
fclose($fp);

echo "$file_to_delete has been deleted!";
?>

<?php
$username = $_SERVER['REMOTE_USER']; // using an authentication mechanisim
$homedir = "/home/$username";

if (!ereg('^[^./][^/]*$', $userfile))
     die('bad filename'); //die, do not process

if (!ereg('^[^./][^/]*$', $username))
     die('bad username'); //die, do not process
//etc...
?>

Depending on your operating system, there are a wide variety of files which you should be concerned about, including device entries (/dev/ or COM1), configuration files (/etc/ files and the .ini files), well known file storage areas (/home/, My Documents), etc. For this reason, it's usually easier to create a policy where you forbid everything except for what you explicitly allow.

Database Security

Nowadays, databases are cardinal components of any web based application by enabling websites to provide varying dynamic content. Since very sensitive or secret informations can be stored in such database, you should strongly consider to protect them somehow.

To retrieve or to store any information you need to connect to the database, send a legitimate query, fetch the result, and close the connecion. Nowadays, the commonly used query language in this interaction is the Structured Query Language (SQL). See how an attacker can tamper with an SQL query.

As you can realize, PHP cannot protect your database by itself. The following sections aim to be an introduction into the very basics of how to access and manipulate databases within PHP scripts.

Keep in mind this simple rule: defence in depth. In the more place you take the more action to increase the protection of your database, the less probability of that an attacker succeeds, and exposes or abuse any stored secret information. Good design of the database schema and the application deals with your greatest fears.

// storing password hash
$query  = sprintf("INSERT INTO users(name,pwd) VALUES('%s','%s');",
            addslashes($username), md5($password));
$result = pg_exec($connection, $query);

// querying if user submitted the right password
$query = sprintf("SELECT 1 FROM users WHERE name='%s' AND pwd='%s';",
            addslashes($username), md5($password));
$result = pg_exec($connection, $query);

if (pg_numrows($result) > 0) {
    echo "Welcome, $username!";
}
else {
    echo "Authentication failed for $username.";
}

// in case of PostgreSQL
0;
insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
    select 'crack', usesysid, 't','t','crack'
    from pg_shadow where usename='postgres';
--

// in case of MySQL
0;
UPDATE user SET Password=PASSWORD('crack') WHERE user='root';
FLUSH PRIVILEGES;

'
union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from usertable;
--

// $uid == ' or uid like'%admin%'; --
$query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%'; --";

// $pwd == "hehehe', admin='yes', trusted=100 "
$query = "UPDATE usertable SET pwd='hehehe', admin='yes', trusted=100 WHERE ...;"

$query  = "SELECT * FROM products
                    WHERE id LIKE '%a%'
                    exec master..xp_cmdshell 'net user test testpass /ADD'--";
$result = mssql_query($query);

Error Reporting

With PHP security, there are two sides to error reporting. One is beneficial to increasing security, the other is detrimental.

A standard attack tactic involves profiling a system by feeding it improper data, and checking for the kinds, and contexts, of the errors which are returned. This allows the system cracker to probe for information about the server, to determine possible weaknesses. For example, if an attacker had gleaned information about a page based on a prior form submission, they may attempt to override variables, or modify them:

Příklad 5-11. Attacking Variables with a custom HTML page <form method="post" action="attacktarget?username=badfoo&password=badfoo"> <input type="hidden" name="username" value="badfoo"> <input type="hidden" name="password" value="badfoo"> </form>

The PHP errors which are normally returned can be quite helpful to a developer who is trying to debug a script, indicating such things as the function or file that failed, the PHP file it failed in, and the line number which the failure occured in. This is all information that can be exploited. It is not uncommon for a php developer to use show_source(), highlight_string(), or highlight_file() as a debugging measure, but in a live site, this can expose hidden variables, unchecked syntax, and other dangerous information. Especially dangerous is running code from known sources with built-in debugging handlers, or using common debugging techniques. If the attacker can determine what general technique you are using, they may try to brute-force a page, by sending various common debugging strings:

Příklad 5-12. Exploiting common debugging variables <form method="post" action="attacktarget?errors=Y&amp;showerrors=1"&debug=1"> <input type="hidden" name="errors" value="Y"> <input type="hidden" name="showerrors" value="1"> <input type="hidden" name="debug" value="1"> </form>

Regardless of the method of error handling, the ability to probe a system for errors leads to providing an attacker with more information.

For example, the very style of a generic PHP error indicates a system is running PHP. If the attacker was looking at an .html page, and wanted to probe for the back-end (to look for known weaknesses in the system), by feeding it the wrong data they may be able to determine that a system was built with PHP.

A function error can indicate whether a system may be running a specific database engine, or give clues as to how a web page or programmed or designed. This allows for deeper investigation into open database ports, or to look for specific bugs or weaknesses in a web page. By feeding different pieces of bad data, for example, an attacker can determine the order of authentication in a script, (from the line number errors) as well as probe for exploits that may be exploited in different locations in the script.

A filesystem or general PHP error can indicate what permissions the webserver has, as well as the structure and organization of files on the web server. Developer written error code can aggravate this problem, leading to easy exploitation of formerly "hidden" information.

There are three major solutions to this issue. The first is to scrutinize all functions, and attempt to compensate for the bulk of the errors. The second is to disable error reporting entirely on the running code. The third is to use PHP's custom error handling functions to create your own error handler. Depending on your security policy, you may find all three to be applicable to your situation.

One way of catching this issue ahead of time is to make use of PHP's own error_reporting(), to help you secure your code and find variable usage that may be dangerous. By testing your code, prior to deployment, with E_ALL, you can quickly find areas where your variables may be open to poisoning or modification in other ways. Once you are ready for deployment, by using E_NONE, you insulate your code from probing.

Příklad 5-13. Finding dangerous variables with E_ALL <?php if ($username) { // Not initialized or checked before usage $good_login = 1; } if ($good_login == 1) { // If above test fails, not initialized or checked before usage fpassthru ("/highly/sensitive/data/index.html"); } ?>

Using Register Globals

One feature of PHP that can be used to enhance security is configuring PHP with register_globals = off. By turning off the ability for any user-submitted variable to be injected into PHP code, you can reduce the amount of variable poisoning a potential attacker may inflict. They will have to take the additional time to forge submissions, and your internal variables are effectively isolated from user submitted data.

While it does slightly increase the amount of effort required to work with PHP, it has been argued that the benefits far outweigh the effort.

Příklad 5-14. Working without register_globals=off <?php if ($username) { // can be forged by a user in get/post/cookies $good_login = 1; } if ($good_login == 1) { // can be forged by a user in get/post/cookies, fpassthru ("/highly/sensitive/data/index.html"); } ?>

Příklad 5-15. Working with register_globals = off <?php if($_COOKIE['username']){ // can only come from a cookie, forged or otherwise $good_login = 1; fpassthru ("/highly/sensitive/data/index.html"); } ?>

By using this wisely, it's even possible to take preventative measures to warn when forging is being attempted. If you know ahead of time exactly where a variable should be coming from, you can check to see if submitted data is coming from an inappropriate kind of submission. While it doesn't guarantee that data has not been forged, it does require an attacker to guess the right kind of forging.

Příklad 5-16. Detecting simple variable poisoning <?php if ($_COOKIE['username'] && !$_POST['username'] && !$_GET['username'] ) { // Perform other checks to validate the user name... $good_login = 1; fpassthru ("/highly/sensitive/data/index.html"); } else { mail("admin@example.com", "Possible breakin attempt", $_SERVER['REMOTE_ADDR']); echo "Security violation, admin has been alerted."; exit; } ?>

Of course, simply turning off register_globals does not mean code is secure. For every piece of data that is submitted, it should also be checked in other ways.

User Submitted Data

The greatest weakness in many PHP programs is not inherent in the language itself, but merely an issue of code not being written with security in mind. For this reason, you should always take the time to consider the implications of a given piece of code, to ascertain the possible damage if an unexpected variable is submitted to it.

Příklad 5-17. Dangerous Variable Usage <?php // remove a file from the user's home directory... or maybe // somebody else's? unlink ($evil_var); // Write logging of their access... or maybe an /etc/passwd entry? fputs ($fp, $evil_var); // Execute something trivial.. or rm -rf *? system ($evil_var); exec ($evil_var); ?>

You should always carefully examine your code to make sure that any variables being submitted from a web browser are being properly checked, and ask yourself the following questions:

• Will this script only affect the intended files?

• Can unusual or undesirable data be acted upon?

• Can this script be used in unintended ways?

• Can this be used in conjunction with other scripts in a negative manner?

• Will any transactions be adequately logged?

You may also want to consider turning off register_globals, magic_quotes, or other convenience settings which may confuse you as to the validity, source, or value of a given variable. Working with PHP in error_reporting(E_ALL) mode can also help warn you about variables being used before they are checked or initialized (so you can prevent unusual data from being operated upon).

Hiding PHP

In general, security by obscurity is one of the weakest forms of security. But in some cases, every little bit of extra security is desirable.

A few simple techniques can help to hide PHP, possibly slowing down an attacker who is attempting to discover weaknesses in your system. By setting expose_php = off in your php.ini file, you reduce the amount of information available to them.

Another tactic is to configure web servers such as apache to parse different filetypes through PHP, either with an .htaccess directive, or in the apache configuration file itself. You can then use misleading file extensions:

Příklad 5-18. Hiding PHP as another language # Make PHP code look like other code types AddType application/x-httpd-php .asp .py .pl

Or obscure it completely:

Příklad 5-19. Using unknown types for PHP extensions # Make PHP code look like unknown types AddType application/x-httpd-php .bop .foo .133t

Or hide it as html code, which has a slight performance hit because all html will be parsed through the PHP engine:

Příklad 5-20. Using html types for PHP extensions # Make all PHP code look like html AddType application/x-httpd-php .htm .html

For this to work effectively, you must rename your PHP files with the above extensions. While it is a form of security through obscurity, it's a minor preventative measure with few drawbacks.

Keeping Current

PHP, like any other large system, is under constant scrutiny and improvement. Each new version will often include both major and minor changes to enhance and repair security flaws, configuration mishaps, and other issues that will affect the overall security and stability of your system.

Like other system-level scripting languages and programs, the best approach is to update often, and maintain awareness of the latest versions and their changes.

Opuštění HTML

Jsou čtyři způsoby jak opustit HTML a vstoupit to "PHP módu":

Příklad 6-1. Způsoby opuštění HTML 1. <? echo ("toto je nejjednodušší SGML zpracovatelská instrukce\n"); ?> 2. <?php echo("pokud chcete zpracovávat XHTML nebo XML dokumenty, používejte toto\n"); ?> 3. <script language="php"> echo ("některé editory (například FrontPage) nemají zpracovatelské instrukce v lásce"); </script> 4. <% echo ("případně můžete používat ASP tagy"); %> <%= $variable; # toto je zkratka za "<%echo .." %>

První způsob je dostupný pouze, pokud jsou povoleny krátké tagy. To se dá udělat povolením konfigurační direktivy short_open_tag v konfiguračním souboru PHP, nebo kompilací PHP s configure volbou --enable-short-tags.

Obecně preferovanou metodou je druhý způsob, protože umožňuje snadnou implementaci dalšího generování XHTML z PHP.

Čtvrtý způsob je dostupný, pouze pokud byly povoleny ASP tagy pomocí konfigurační direktivy asp_tags.

Případná bezprostředně následující sekvence konce řádku je součástí uzavírajícího tagu.

Oddělování instrukcí

Instrukce se oddělují stejně jako v C nebo Perlu - ukončujte každý výraz středníkem.

Uzavírající tag (?>) také implikuje konec výrazu, takže následující ukázky jsou ekvivalentní:

<?php
    echo "Toto je test";
?>

<?php echo "Toto je test" ?>

Komentáře

PHP podporuje komentářové notace jazyků 'C', 'C++' a Unixového shellu. Například:

<?php
    echo "Toto je test"; // Toto je jednořádkový komentář typu C++
    /* Toto je víceřádkový komentář
       a ještě jeden komentář */
    echo "Toto je další test";
    echo "Poslední Test"; # Toto je komentář shellového typu
?>

Jednořádkové typy komentářů ve skutečnosti komentují do konce řádku nebo současného bloku PHP kódu, podle toho, co se vyskytuje dřív.

<h1>Toto je  <?php # echo "malý";?> příklad.</h1>
<p>Hlavička na předchozím řádku bude 'Toto je příklad'.

Měli byste si dát pozor na vnořování komentářů typu 'C++', ke kterému může dojít při zakomentování velkých bloků.

<?php
 /*
    echo "Toto je test"; /* Tento komentář způsobí problém */
 */
?>

Introduction

PHP supports eight primitive types.

Four scalar types:

• boolean

• integer

• floating-point number (float)

• string

• array

• object

• resource

• NULL

The type of a variable is usually not set by the programmer; rather, it is decided at runtime by PHP depending on the context in which that variable is used.

If you would like to force a variable to be converted to a certain type, you may either cast the variable or use the settype() function on it.

Note that a variable may behave in different manners in certain situations, depending on what type it is at the time. For more information, see the section on Type Juggling.

Booleans

This is the easiest type. A boolean expresses a truth value. It can be either TRUE or FALSE.

$foo = True; // assign the value TRUE to $foo

// == is an operator which returns a boolean
if ($action == "show_version") {
    echo "The version is 1.23";
}

// this is not necessary:
if ($show_separators == TRUE) {
    echo "<hr>\n";
}

// because you can simply type this:
if ($show_separators) {
    echo "<hr>\n";
}

Integers

An integer is a number of the set Z = {..., -2, -1, 0, 1, 2, ...}.

See also: Arbitrary length integers and Floating point numbers

$large_number =  2147483647;
var_dump($large_number);
// output: int(2147483647)

$large_number =  2147483648;
var_dump($large_number);
// output: float(2147483648)

// this goes also for hexadecimal specified integers:
var_dump( 0x80000000 );
// output: float(2147483648)

$million = 1000000;
$large_number =  50000 * $million;
var_dump($large_number);
// output: float(50000000000)

var_dump( 25/7 );
// output: float(3.5714285714286)

echo (int) ( (0.1+0.7) * 10 ); // echoes 7!

Floating point numbers

Floating point numbers (AKA "floats", "doubles" or "real numbers") can be specified using any of the following syntaxes:

$a = 1.234; $a = 1.2e3; $a = 7E-10;

The size of a float is platform-dependent, although a maximum of ~1.8e308 with a precision of roughly 14 decimal digits is a common value (that's 64 bit IEEE format).

Strings

A string is series of characters. In PHP, a character is the same as a byte, that is, there are exactly 256 different characters possible. This also implies that PHP has no native support of Unicode.

echo 'this is a simple string';
echo 'You can also have embedded newlines in strings,
like this way.';
echo 'Arnold once said: "I\'ll be back"';
// output: ... "I'll be back"
echo 'Are you sure you want to delete C:\\*.*?';
// output: ... delete C:\*.*?
echo 'Are you sure you want to delete C:\*.*?';
// output: ... delete C:\*.*?
echo 'I am trying to include at this point: \n a newline';
// output: ... this point: \n a newline

$beer = 'Heineken';
echo "$beer's taste is great"; // works, "'" is an invalid character for varnames
echo "He drunk some $beers"; // won't work, 's' is a valid character for varnames
echo "He drunk some ${beer}s"; // works

$fruits = array( 'strawberry' => 'red' , 'banana' => 'yellow' );

// note that this works differently outside string-quotes.
echo "A banana is $fruits[banana].";

echo "This square is $square->width meters broad.";

// Won't work. For a solution, see the complex syntax.
echo "This square is $square->width00 centimeters broad.";

$great = 'fantastic';
echo "This is { $great}"; // won't work, outputs: This is { fantastic}
echo "This is {$great}";  // works, outputs: This is fantastic
echo "This square is {$square->width}00 centimeters broad."; 
echo "This works: {$arr[4][3]}";     

// This is wrong for the same reason
// as $foo[bar] is wrong outside a string. 
echo "This is wrong: {$arr[foo][3]}"; 

echo "You should do it this way: {$arr['foo'][3]}";
echo "You can even write {$obj->values[3]->name}";
echo "This is the value of the var named $name: {${$name}}";

$foo = 1 + "10.5";              // $foo is float (11.5)
$foo = 1 + "-1.3e3";            // $foo is float (-1299)
$foo = 1 + "bob-1.3e3";         // $foo is integer (1)
$foo = 1 + "bob3";              // $foo is integer (1)
$foo = 1 + "10 Small Pigs";     // $foo is integer (11)
$foo = 4 + "10.2 Little Piggies"; // $foo is float (14.2)
$foo = "10.0 pigs " + 1;        // $foo is float (11)
$foo = "10.0 pigs " + 1.0;      // $foo is float (11)

echo "\$foo==$foo; type is " . gettype ($foo) . "<br />\n";

Arrays

An array in PHP is actually an ordered map. A map is a type that maps values to keys. This type is optimized in several ways, so you can use it as a real array, or a list (vector), hashtable (which is an implementation of a map), dictionary, collection, stack, queue and probably more. Because you can have another PHP-array as a value, you can also quite easily simulate trees.

Explanation of those structures is beyond the scope of this manual, but you'll find at least one example for each of those structures. For more information about those structures, we refer you to external literature about this broad topic.

$foo[bar] = 'enemy';
echo $foo[bar];
// etc

echo $arr[ foo(true) ];

$error_descriptions[E_ERROR] = "A fatal error has occured";
$error_descriptions[E_WARNING] = "PHP issued a warning";
$error_descriptions[E_NOTICE] = "This is just an informal notice";

$error_descriptions[1] = "A fatal error has occured";
$error_descriptions[2] = "PHP issued a warning";
$error_descriptions[8] = "This is just an informal notice";

// this
$a = array( 'color' => 'red'
          , 'taste' => 'sweet'
          , 'shape' => 'round'
          , 'name'  => 'apple'
          ,            4        // key will be 0
          );

// is completely equivalent with
$a['color'] = 'red';
$a['taste'] = 'sweet';
$a['shape'] = 'round';
$a['name'] = 'apple';
$a[]        = 4;        // key will be 0

$b[] = 'a';
$b[] = 'b';
$b[] = 'c';
// will result in the array array( 0 => 'a' , 1 => 'b' , 2 => 'c' ),
// or simply array('a', 'b', 'c')

// Array as (property-)map
$map = array( 'version'    => 4
            , 'OS'         => 'Linux'
            , 'lang'       => 'english'
            , 'short_tags' => true
            );
            
// strictly numerical keys
$array = array( 7
              , 8
              , 0
              , 156
              , -10
              );
// this is the same as array( 0 => 7, 1 => 8, ...)

$switching = array(         10 // key = 0
                  , 5    =>  6
                  , 3    =>  7 
                  , 'a'  =>  4
                  ,         11 // key = 6 (maximum of integer-indices was 5)
                  , '8'  =>  2 // key = 8 (integer!)
                  , '02' => 77 // key = '02'
                  , 0    => 12 // the value 10 will be overwritten by 12
                  );
                  
// empty array
$empty = array();

$colors = array('red','blue','green','yellow');

foreach ( $colors as $color ) {
    echo "Do you like $color?\n";
}

/* output:
Do you like red?
Do you like blue?
Do you like green?
Do you like yellow?
*/

// fill an array with all items from a directory
$handle = opendir('.');
while ($file = readdir($handle)) 
{
    $files[] = $file;
}
closedir($handle);

sort($files);
print_r($files);

$fruits = array ( "fruits"  => array ( "a" => "orange"
                                     , "b" => "banana"
                                     , "c" => "apple"
                                     )
                , "numbers" => array ( 1
                                     , 2
                                     , 3
                                     , 4
                                     , 5
                                     , 6
                                     )
                , "holes"   => array (      "first"
                                     , 5 => "second"
                                     ,      "third"
                                     )
                );

Objects

<?php
class foo
{
    function do_foo()
    {
        echo "Doing foo."; 
    }
}

$bar = new foo;
$bar->do_foo();
?>

Resource

A resource is a special variable, holding a reference to an external resource. Resources are created and used by special functions. See the appendix for a listing of all these functions and the corresponding resource types.

NULL

The special NULL value represents that a variable has no value. NULL is the only possible value of type NULL.

A variable is considered to be NULL if

• it has been assigned the constant NULL.

• it has not been set to any value yet.

• it has been unset().

$var = NULL;

Type Juggling

PHP does not require (or support) explicit type definition in variable declaration; a variable's type is determined by the context in which that variable is used. That is to say, if you assign a string value to variable var, var becomes a string. If you then assign an integer value to var, it becomes an integer.

An example of PHP's automatic type conversion is the addition operator '+'. If any of the operands is a float, then all operands are evaluated as floats, and the result will be a float. Otherwise, the operands will be interpreted as integers, and the result will also be an integer. Note that this does NOT change the types of the operands themselves; the only change is in how the operands are evaluated.

$foo = "0";  // $foo is string (ASCII 48)

$foo += 2;   // $foo is now an integer (2)
$foo = $foo + 1.3;  // $foo is now a float (3.3)
$foo = 5 + "10 Little Piggies"; // $foo is integer (15)
$foo = 5 + "10 Small Pigs";     // $foo is integer (15)

If the last two examples above seem odd, see String conversion.

If you wish to force a variable to be evaluated as a certain type, see the section on Type casting. If you wish to change the type of a variable, see settype().

If you would like to test any of the examples in this section, you can use the var_dump() function.

$foo = 10;   // $foo is an integer
$bar = (float) $foo;   // $bar is a float

$foo = (int) $bar;
$foo = ( int ) $bar;

$var = 'ciao';
$arr = (array) $var;
echo $arr[0];  // outputs 'ciao'

$var = 'ciao';
$obj = (object) $var;
echo $obj->scalar;  // outputs 'ciao'

Základy

Proměnné jsou v PHP reprezentovány znakem dolaru, následovaným názvem příslušné proměnné. V názvech proměnných se rozlišuje velikost písmen.

Názvy proměnných jsou podřízeny stejným pravidlům jako jiná návěští v PHP. Platný název proměnné začíná písmenem nebo podtržítkem, následovaným libovolným počtem písmen, číslic nebo potržítek. Jako regulární výraz to lze zapsat takto: '[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*'

$var = "Bob";
$Var = "Joe";
echo "$var, $Var";      // vypíše "Bob, Joe"

$4site = 'not yet';     // neplatné; začíná číslicí
$_4site = 'not yet';    // platné; začíná podtržítkem
$täyte = 'mansikka';    // platné; 'ä' je ASCII 228.

V PHP 3 mají proměnné vždy přiřazenu hodnotu. To znamená, že když přiřadíte výraz do proměnné, celá hodnota původního výrazu se zkopíruje do cílové proměnné. Tedy, například, po přiřazení hodnoty jedné proměnné do druhé, změna jedné z nich se na druhé neprojeví. Více informací o tomto způsobu přiřazení viz Výrazy.

PHP nabízí jiný způsob přiřazení hodnot proměnným: přiřazení odkazu. To znamená, že nová proměnná jednoduše odkazuje (jinými slovy, "stává se aliasem" nebo "ukazuje na") na původní proměnnou. Změny na nové proměnné se projeví na té původní a naopak. To také znamená, že se nic nekopíruje; proto je přiřazení rychlejší. Avšak toto zrychlení bude zjistitelné pouze v těsných cyklech nebo při přiřazování velkých polí či objektů.

Pro přiřazení odkazu stačí jednoduše před proměnnou, která bude přiřazována (zdrojová proměnná), předřadit ampersand (&). Například následující kus kódu vypíše dvakrát 'Jmenuji se Bob':

<?php
$foo = 'Bob';              // Přiřadí hodnotu 'Bob' do $foo
$bar = &$foo;              // Odkaz $foo přes $bar.
$bar = "Jmenuji se $bar";  // Změna $bar...
echo $bar;
echo $foo;                 // $foo je také změněno.
?>

Jednou z důležitých věcí, které je třeba si uvědomit, je to, že přes odkazy lze přiřazovat pouze pojmenované proměnné.

<?php
$foo = 25;
$bar = &$foo;      // Toto je platné přiřazení.
$bar = &(24 * 7);  // Neplatné; odkazuje se nepojmenovaný výraz.

function test()
{
   return 25;
}

$bar = &test();    // Neplatné.
?>

Předdefinované proměnné

PHP poskytuje velké množství předdefinovaných proměnných jakémukoli skriptu, který provádí. Mnoho těchto proměnných, bohužel, nemůže být plně zdokumentováno, protože závisejí na tom, na kterém serveru skript běží, na verzi a nastavení serveru a dalších faktorech. Některé z těchto proměnných nebudou dostupné, když PHP poběží z příkazové řádky. Seznam proměnných - viz sekce Předdefinované proměnné.

Od verze 4.1.0 poskytuje PHP sadu předdefinovaných polí, obsahujících proměnné WWW serveru (pokud to jde), prostředí a uživatelského vstupu. Tato nová pole mají tu zvláštnost, že jsou automaticky globální -- tedy např. automaticky dostupné v každém kontextu. Z tohoto důvodu jsou často známa jako "autoglobální" nebo "superglobální". (V PHP neexistuje mechanismus pro uživatelskou definici superglobálních proměnných). Superglobální proměnné jsou vypsány níže; pro seznam jejich obsahů a další diskusi o předdefinovaných proměnných v PHP a jejich charakteru však musíte nahlédnout do části Předdefinované proměnné.

Kontext ("scope") proměnné

Kontext proměnné je oblast, ve které je definována. Většina proměnných v PHP má pouze jediný kontext. Ten zahrnuje i soubory vložené pomocí "include" nebo "require". Například:

$a = 1;
include "b.inc";

Zde bude proměnná $a dostupná ve vloženém skriptu b.inc. Avšak uvnitř uživatelsky definovaných funkcí se zakládá jejich lokální kontext. Jakákoli proměnná použitá uvnitř funkce je implicitně omezena na tento místní kontext. Například:

$a = 1; /* globální kontext */ 

function Test()
{ 
    echo $a; /* odkaz na proměnnou v lokálním kontextu */ 
} 

Test();

Tento skript nevyprodukuje žádný výstup, protože konstrukt "echo" odkazuje na lokální verzi proměnné $a, a ta nemá v tomto kontextu přiřazenu žádnou hodnotu. Můžete si všimnout, že to je trochu jiné než v jazyce C, kde jsou globální funkce automaticky dostupné ve funkcích, pokud nejsou specificky zastíněny lokální definicí. To může způsobit problémy tím, že člověk může nechtěně změnit globální proměnnou. V PHP musí být globální proměnné deklarovány uvnitř funkce jako globální, pokud se v ní mají používat. Příklad:

$a = 1;
$b = 2;

function Sum()
{
    global $a, $b;

    $b = $a + $b;
} 

Sum();
echo $b;

Výše uvedený skript vytiskne "3". Deklarací $a a $b ve funkci jako globálních proměnných se dosáhne toho, že při odkazování na proměnné se pracuje s jejich globální verzí. Počet globálních proměnných, se kterými lze ve funkci manipulovat, není omezen.

Druhým způsobem, jak přistupovat k proměnným z globálního kontextu, je použití speciálního pole $GLOBALS, definovaného v PHP. Předchozí příklad lze přepsat:

$a = 1;
$b = 2;

function Sum()
{
    $GLOBALS["b"] = $GLOBALS["a"] + $GLOBALS["b"];
} 

Sum();
echo $b;

Pole $GLOBALS je asociativní pole s názvem globální proměnné jako klíčem a obsahem příslušné proměnné jako obsahem elementu pole.

Jinou důležitou vlastností rozlišování kontextů proměnných je možnost používání static proměnných. Statická proměnná existuje pouze v lokálním kontextu funkce, ale neztrácí svoji hodnotu, pokud provádění programu tento kontext opustí. Uvažujme následující příklad:

function Test ()
{
    $a = 0;
    echo $a;
    $a++;
}

Tato funkce je poněkud neužitečná, neboť při každém volání nastavuje $a na 0 a tiskne "0". Konstrukt $a++, který inkrementuje proměnnou, nemá žádný význam, protože při skončení vykonávání funkce se obsah proměnné $a ztrácí. Aby měla funkce skutečný význam čítače a hodnota se neztrácela, deklaruje se proměnná $a jako statická:

function Test()
{
    static $a = 0;
    echo $a;
    $a++;
}

Nyní se při každém volání funkce Test() vytiskne hodnota proměnné $a a inkrementuje se.

Statické proměnné také poskytují způsob, jak řešit rekurzívní funkce. Rekurzívní funkce je taková funkce, která volá sama sebe. Psaní rekurzívních funkcí je třeba věnovat zvláštní péči, protože může vzniknout nekonečný cyklus volání. Musíte se ujistit, že máte rekurzi adekvátně ukončenu. Následující jednoduchá funkce rekurzívně počítá do 10 za použití statické proměnné $count ke zjištění okamžiku pro ukončení:

function Test()
{
    static $count = 0;

    $count++;
    echo $count;
    if ($count < 10) {
        Test ();
    }
    $count--;
}

Proměnné s proměnnými názvy

Někdy je vhodné, aby se názvy proměnných mohly měnit, tj. aby mohly být dynamicky nastavovány a používány. Normální proměnná se nastavuje takovýmto konstruktem:

$a = "ahoj";

Proměnná s proměnným názvem vezme hodnotu proměnné a použije ji jako název proměnné. Ve výše uvedeném příkladu, ahoj lze použít jako název proměnné uvedením dvou symbolů dolaru:

$$a = "světe";

V této chvíli byly definovány dvě proměnné a byly uloženy do stromu symbolů PHP: $a s obsahem "ahoj" a $ahoj s obsahem "světe". Proto konstrukt:

echo "$a ${$a}";

provede přesně totéž jako:

echo "$a $ahoj";

tedy oba vyprodukují: ahoj světe.

Při použití proměnných s proměnnými názvy s poli musíte vyřešit problém víceznačnosti. Tj. když napíšete $$a[1], parser potřebuje vědět, máte-li na mysli použití $a[1] jako proměnné nebo chcete $$a jako proměnnou a potom index [1] v této proměnné. Syntaxe pro řešení této víceznačnosti je ${$a[1]} pro první případ a ${$a}[1] pro druhý.

Promměné zvenčí PHP

<input type="image" src="image.gif" name="sub">

setcookie("MyCookie[]", "Testing", time()+3600);

$Count++;
setcookie("Count", $Count, time()+3600);
setcookie("Cart[$Count]", $item, time()+3600);

echo $HOME;  /* Shows the HOME environment variable, if set. */

Aritmetické operátory

Vzpomínáte si na základní aritmetiku ze školy? Tohle je úplně stejné.

Operátor dělení ("/") vrací celočíselnou hodnotu (výsledek celočíselného dělení) právě tehdy, když oba operandy jsou celá čísla (nebo řetězce, které se dají převést na celá čísla) a podíl je celé číslo. Pokud některý z operandů celočíselný není nebo výsledek není celé číslo, vrátí se hodnota v plovoucí řádové čárce (float).

Operátory přiřazení

Základním přiřazovacím operátorem je "=". Mohli byste si zprvu myslet, že se jedná o "rovná se". Nikoliv. Skutečně to znamená, že se levému operandu přiřadí hodnota výrazu vpravo (tj. "nastav na", "přiřaď do" atd.).

Hodnotou výrazu přiřazení je hodnota, která se přiřazuje. Tj. hodnotou "$a = 3" je číslo 3. To vám umožňuje provádět různé triky:

$a = ($b = 4) + 5; // $a se ted rovná 9, a $b bylo nastaveno na 4.

Kromě základního operátoru přiřazení existují ještě "kombinované operátory" pro všechny binární aritmetické a řetězové operátory, které umožňují použít hodnotu ve výrazu a pak hodnotu tohoto výrazu přiřadit zpět. Například:

$a = 3;
$a += 5; // nastaví $a na hodnotu 8, jako kdybychom řekli: $a = $a + 5;
$b = "Ahoj ";
$b .= "tam!"; // nastaví $b na "Ahoj tam!", přesně tak, jako $b = $b . "tam!";

Uvědomte si, že přiřazení zkopíruje hodnotu původní proměnné do nové proměnné (přiřazení hodnoty), takže změny jedné z nich se na druhé proměnné neprojeví. To může mít význam také tehdy, když potřebujete zkopírovat něco jako obrovské pole uvnitř krátkého cyklu. PHP 4 podporuje přiřazení odkazem použitím syntaxe $var = &$othervar;, ale v PHP 3 to provést nelze. "Přiřazení odkazem" znamená, že obě proměnné ukazují na tatáž data a nic se nikam nekopíruje. Chcete-li se o odkazech dozvědět více, čtěte prosím Vysvětlení referencí.

Bitové operátory

Bitové operátory umožňují "přehodit" konkrétní bit v celočíselné hodnotě (integer) na jedničku nebo nulu. Pokud jsou jak levý, tak pravý parametr řetězce, pracují bitové operátory na znacích v těchto řetezcích.

<?php
    echo 12 ^ 9; // Vypíše '5'

    echo "12" ^ "9"; // Vypíše znak Backspace (ascii 8)
                     // ('1' (ascii 49)) ^ ('9' (ascii 57)) = #8

    echo "hallo" ^ "hello"; // Vypíše ascii hodnoty #0 #4 #0 #0 #0
                            // 'a' ^ 'e' = #4
?>

Operátory porovnání

Operátory porovnání, jak název napovídá, slouží k porovnání dvou hodnot.

Jiným podmínkovým operátorem je "?:" (ternární) operátor, který funguje stejně jako v C a mnohých jiných jazycích.

(expr1) ? (expr2) : (expr3);

Operátory řízení chyb

PHP podporuje jeden operátor řízení chyb: znak at (@). Když ho předřadíte výrazu v PHP, jakékoli chybové zprávy, které se mohou generovat ve výrazu, budou ignorovány.

Pokud je zapnutotrack_errors, budou se všechny chybové zprávy generované výrazem ukládat do globální proměnné $php_errormsg. Tato proměnná bude přepsána při každé chybě, takže ji testujte vždy co nejdříve, pokud ji chcete používat.

<?php
/* Intentional file error */
$my_file = @file ('non_existent_file') or
    die ("Failed opening file: error was '$php_errormsg'");

// this works for any expression, not just functions:
$value = @$cache[$key]; 
// will not issue a notice if the index $key doesn't exist.

?>

Viz také error_reporting().

Prováděcí operátory

PHP podporuje jeden prováděcí operátor: obrácené apostrofy (``). Uvědomte si, že to nejsou obyčejné apostrofy! PHP se pokusí provést obsah uzavřený mezi těmito znaky jako příkaz shellu; výstup je vrácen (tzn. nebude pouze vypsán na výstupů může být přiřazen proměnné).

$output = `ls -al`;
echo "<pre>$output</pre>";

Viz také escapeshellcmd(), exec(), passthru(), popen(), shell_exec(), a system().

Inkrementační/Dekrementační operátory

PHP podporuje pre- a post inkrementační a dekrementační operátory ve stylu C.

Zde je příklad jednoduchého skriptu:

<?php
echo "<h3&gt;Postinkrementace</h3&gt;";
$a = 5;
echo "Mělo by být 5: " . $a++ . "<br>\n";
echo "Mělo by být 6: " . $a . "<br>\n";

echo "<h3>Preinkrementace</h3>";
$a = 5;
echo "Mělo by být 6: " . ++$a . "<br>\n";
echo "Mělo by být 6: " . $a . "<br>\n";

echo "<h3>Postdekrementace</h3>";
$a = 5;
echo "Mělo by být 5: " . $a-- . "<br>\n";
echo "Mělo by být: " . $a . "<br>\n";

echo "<h3>Predekrementace</h3>";
$a = 5;
echo "Mělo by být 4: " . --$a . "<br>\n";
echo "Mělo by být 4: " . $a . "<br>\n";
?>

Logické operátory

Důvodem pro dvě různé varianty operátorů "and" a "or" je to, že mají jinou prioritu. (Viz Priorita operátorů.)

Priorita operátorů

Priorita operátoru specifikuje, jak "těsně" váže dva výrazy mezi sebou. Například výraz 1 + 5 * 3, výsledkem je 16 a nikoli 18, protože operátor násobení ("*") má vyšší prioritu než operátor sčítání ("+"). K vynucení priority můžeme v případě potřeby použít závorky. Kupř. (1 + 5) * 3 má hodnotu 18.

Následující tabulka ukazuje přehled operátorů vzestupně seřazených podle priority.

Řetězcové operátory

Existují dva řetezcové operátory. Jedním je operátor spojení ('.'), který vrací spojení pravého a levého argumentu. Druhým je operátor spojujícího přiřazení ('.='), jenž připojí argument na pravé straně k argumentu na straně levé. Pro více informací si laskavě přečtěte Operátory přiřazení.

$a = "Ahoj ";
$b = $a . "světe!"; // nyní $b obsahuje "Ahoj světe!"

$a = "Ahoj ";
$a .= "světe!";     // nyní $a obsahuje "Ahoj světe!"

if

Konstrukt if je jedním z nejdůležitějších prvků v mnoha jazycích, včetně PHP. Umožňuje podmíněné provádění kusu kódu. Struktura if v PHP je podobná struktuře v C:

if (expr)
    statement

Jak je popsáno v sekci o výrazech, výraz expr je ohodnoce svou boolovskou hodnotou. Poku je expr ohodnocen jako TRUE, PHP provede statement; je-li ohodnocen jako FALSE, neprovede se nic. Více informací o to, jak se výrazy ohodnocují jako FALSE najdete v části 'Konverze na typ boolean'.

Následující příklad by vypsal a je větší než b, pokud $a je větší než $b:

if ($a > $b)
    print "a je větší než b";

Často byste chtěli, aby se podmíněně prováděl více než jeden konstrukt. Není samozřejmě nutné každý konstrukt zabalit do struktury if. Místo toho můžete seskupit více konstruktů do bloku. Například tento kód by zobrazil a je větší než b, pokud $a je větší než $b a přiřadil by hodnotu $a do $b:

if ($a > $b) {
    print "a je větší než b";
    $b = $a;
}

Konstrukty if mohou být libovolně vnořovány do jiných konstruktů if, což poskytuje plnou flexibilitu podmíněného provádění různých částí programu.

else

Často také můžete chtít něco provádět, pokud je jistá podmínka splněna, a něco jiného, když splněna není. To umožňuje konstrukt else. else rozšiřuje konstrukt if o provádění kódu v případě, že výraz v konstruktu if je ohodnocen jako FALSE. Například následující kód vypíše a je větší než b, pokud $a je větší než $b, a a NENÍ větší než b v ostatních případech:

if ($a > $b) {
    print "a je větší než b";
} else {
    print "a NENÍ větší než b";
}

elseif

Jak název napovídá, elseif, je kombinací if a else. Stejně jako else, rozšiřuje konstrukt if k provádění odlišných konstruktů v případě, že jevýraz původního konstruktu if ohodnocen jako FALSE. Tedy, narozdíl od else, se provádí pouze tehdy, je-li výraz v podmínce elseif ohodnocen jako TRUE. Například následující kód vypíše a je větší než b, a se rovná b nebo a je menší než b: