Exploring PHP: Powering Dynamic Websites with Ease — Part 2

This is Part 2 of our PHP Q&A series. If you are new here, start with Part 1 (Exploring PHP: Powering Dynamic Websites with Ease) on this blog for foundations around syntax, MySQLi, and superglobals.

What does unlink() do?

unlink($path) deletes a file from the filesystem at the given path. It returns true on success or false on failure—always check permissions and whether the path points outside intended directories when building tooling.

What does unset() do?

unset($var) destroys a variable in the current scope (or an offset inside an array). After unset, isset($var) is false for simple variables. It is about symbol-table cleanup, not deleting files.

How should you prepare data for the database?

Modern PHP centers on prepared statements with bound parameters (PDO or mysqli). The database driver separates SQL structure from user data, which prevents SQL injection far more reliably than manual escaping. addslashes() or mysql_escape_string-style workflows belong to legacy code—avoid them for new applications.

What about stripslashes()?

stripslashes() removes backslashes added by addslashes() or by the old “magic quotes” feature. If you still maintain legacy data that was double-escaped, you might see it in migrations—but do not design new flows around stripslashes.

Magic quotes and automatic escaping

Magic quotes auto-escaped incoming GET/POST/COOKIE data in ancient PHP. That feature was deprecated and removed years ago (gone entirely since PHP 5.4). Do not attempt to “enable magic quotes” in php.ini on supported PHP versions—they no longer exist. get_magic_quotes_gpc() was removed in PHP 7.4; tutorials referencing it are obsolete.

Removing HTML from strings

strip_tags($html, $allowedTags) strips HTML and PHP tags. Optionally allow a whitelist of tags. Be cautious: it is not a complete XSS defense—combine with proper escaping on output and validation on input for rich text.

Static variables inside functions

Declaring static $counter inside a function initializes it only on first entry; later calls retain its value. Useful for memoization, counters, or singleton-style caching inside procedural helpers.

Sharing variables across functions with global

The global keyword imports a variable from the global scope into a function’s scope. It works, but tight coupling makes testing harder; prefer passing dependencies explicitly or using classes with injected dependencies.

Returning values from functions

Use return $value; to send a result back to the caller. Functions may declare return types (: string, : void, union types, etc.) for safer contracts in PHP 7+.

Hashing passwords safely

Use password_hash() with PASSWORD_DEFAULT (bcrypt today; algorithm may evolve) or PASSWORD_ARGON2ID where available, and verify with password_verify(). Fast digests like MD5, SHA-1, or raw SHA-256 are inappropriate for passwords—they were designed for speed, which helps attackers. crypt() and hash() still matter for non-password cryptography, but user passwords belong to the password_* API.

Digital signatures in PHP

The OpenSSL extension exposes signing, verification, encryption, and certificate parsing—common when integrating TLS or signing payloads. Enable openssl in php.ini and follow upstream docs for key formats.

Defining constants

define('NAME', value, case_insensitive_deprecated) creates constants at runtime. The const NAME = value; form resolves at compile time inside namespaces/classes. Pick const inside classes for clarity.

Passing variables by reference

Prefix parameters or assignments with &: function increment(&$n) { $n++; } or $alias = &$original;. References share storage; misuse can cause subtle bugs, so use sparingly.

Comparing integers and numeric strings

PHP’s loose operators == and != coerce operands—for example, (12 == "12") is true because the string casts to a number. Strict === compares without juggling type; use it when you care about exact types. Your interview snippet comparing 12 and "13" yields false because both normalize toward integers 12 and 13.

Explicit type casts

Prefix expressions with (int), (float), (bool), (string), (array), (object), (unset), or use specialized functions. Older aliases like (integer) still parse but prefer short forms.

Alternative syntax: endif

When an if statement uses the colon style—if ($x): ... endif;—PHP expects endif to close the block instead of braces. Common in mixed PHP/HTML templates.

Ternary operator

condition ? exprIfTrue : exprIfFalse evaluates the condition once and picks a branch. PHP 8 also offers the null-safe and match constructs for clearer logic when expressions grow complex.

func_num_args() and friends

Inside a user-defined function, func_num_args() counts arguments passed. func_get_arg($i) reads one position; func_get_args() returns them all as an array—handy for wrappers before variadic parameters (...) became ubiquitous.

Variable variables ($$name)

If $var1 = 10 and $var2 = "var1", then $$var2 resolves $var1 and yields 10. Powerful for dynamic property access—dangerous if fed untrusted input—sanitize keys before using variable variables.

The scope resolution operator (::)

ClassName::method() calls static methods or refers to static properties; parent::method() reaches upward in inheritance; ClassName::CONST accesses class constants. An object is not required for static members.

Are objects passed by value or by reference?

Since PHP 5, passing an object passes an internal object handle—both caller and callee refer to the same object instance. Assigning the parameter to another variable without cloning shares that identity. Cloning ($copy = clone $obj) produces a shallow duplicate. Interview answers claiming “pure pass-by-value copies of objects” are outdated.

Parent constructors

Child constructors do not automatically invoke parent::__construct(). Call parent::__construct(...) explicitly when you need inherited initialization.

__sleep() and __wakeup()

serialize() triggers __sleep(), which should return the list of property names to persist. unserialize() triggers __wakeup() to reconnect resources or rehydrate derived state. Prefer __serialize/__unserialize on newer PHP for structured control.

What is a session?

A session ties a client to server-side storage (default: files; alternatives: Redis, database) using a session cookie or equivalent. session_start() loads $_SESSION for multi-request state like carts or authentication tokens—always regenerate IDs after privilege escalation.