Exploring PHP: Powering Dynamic Websites with Ease — Part 3

Part 3 continues our PHP Q&A path. If you are joining here, read Part 1 and Part 2 on this blog for database basics, security, and language mechanics from earlier lists.

How do you start a session?

Call session_start() before any output is sent to the browser. It creates or resumes a session and populates $_SESSION. Place it at the top of your front controller or bootstrap so headers stay valid.

How is a session ID propagated?

By default PHP prefers a session cookie (session.cookie_* settings). Historically the session ID could appear in URLs when use_only_cookies was off—that leaks IDs in logs and referrer headers and encourages fixation attacks. Modern deployments should rely on cookies only (HTTPS, Secure, HttpOnly, SameSite).

What is a persistent cookie?

Session cookies expire when the browser ends unless you set an expiration time or Max-Age. A persistent cookie stores an Expires or Max-Age attribute so it survives browser restarts until that deadline—not literally forever, but longer-lived than a pure session cookie.

When does a session end?

The PHP script ends after each HTTP request, but server-side session data usually persists in storage until garbage collection (session.gc_* and session cookie lifetime) or you call session_destroy(). session_write_close() ends the current script’s write lock and persists changes early—useful before long tasks. Do not confuse “request finished” with “session deleted.”

session_unset() and legacy session_unregister()

session_unset() clears registered session variables in older guidance; today you typically unset($_SESSION['key']) or assign $_SESSION = [] before session_destroy() when logging out. session_unregister() was removed in PHP 5.4—avoid any tutorial that still references it.

$GLOBALS

$GLOBALS is a superglobal associative array referencing every global variable in scope, keyed by name. Use sparingly—explicit dependency injection or passing parameters keeps code clearer.

$_SERVER

$_SERVER carries request metadata: HTTP headers (often REDIRECT_ or HTTP_* keys), script paths, request method, host, HTTPS flags, and more. Values depend on the web server—never trust REMOTE_ADDR alone for security without proxy awareness.

$_FILES

When the browser submits multipart/form-data, PHP fills $_FILES with metadata per input name: original filename, MIME type, temporary path, error code, and byte size. Always validate type/size server-side and move_uploaded_file() from tmp_name into a controlled directory.

name vs tmp_name in $_FILES

['name'] is the client-provided filename (can be spoofed). ['tmp_name'] is the server-staged upload path PHP manages until you move or discard it. Never trust ['name'] for filesystem paths—sanitize and generate your own safe names.

Upload error codes

Each entry includes ['error']; UPLOAD_ERR_OK (0) means success. Other constants describe size limits, partial uploads, or missing files—branch on them before processing.

Raising upload limits

php.ini settings upload_max_filesize and post_max_size (post must be >= upload), plus memory_limit and max_file_uploads, control how large multipart bodies may be. Restart PHP-FPM or Apache after edits.

$_ENV

$_ENV exposes variables imported from the process environment when variables_order includes “E.” Many frameworks read DATABASE_URL-style values directly from getenv() instead.

$_COOKIE

$_COOKIE contains cookies the client sent with the request. setcookie() or setrawcookie() schedules outgoing cookies for later responses; HttpOnly and Secure flags reduce theft and leakage.

Variable scope in PHP

Variables defined at file scope behave like script globals when no function boundary exists; inside functions, locals are separate unless you import globals or use static parameters. Including another file runs it in the same scope unless you wrap code in functions or namespaces—so top-level variables leak across includes unless disciplined.

Bitwise AND (&) vs logical AND (and / &&)

$a & $b performs integer bitwise AND on each bit. The and / && operators perform Boolean logic with short-circuiting (&& has higher precedence traits—prefer && for conditions). Do not mix them accidentally in permission masks.

String operators

. concatenates two strings; .= appends to an existing variable. PHP does not use + for string concatenation.

!= versus !==

!= performs loose inequality with type juggling; !== compares both value and type. Prefer strict checks when null, false, and empty strings must be distinguished.

instanceof

$obj instanceof ClassName returns true when the object is an instance of that class or interface (respecting inheritance). Useful before calling type-specific APIs.

goto

goto label; jumps to label: within the same function or file scope per PHP rules. It can simplify generated code but usually hurts readability—use structured loops or exceptions instead in application code.

Exception introspection

getMessage() returns the human-readable message; getLine() reports the source line where throw occurred. __toString() on Exception produces a string summary for logs (behavior evolves slightly across PHP versions—consult manual). Also useful: getFile(), getTraceAsString().

parse_ini_file()

parse_ini_file($path, process_sections, scanner_mode) reads .ini-style configuration into arrays or nested arrays when sections exist. INI_SCANNER_TYPED coerces booleans and numbers when possible.

isset()

isset($var) is true when the variable exists and is not null. array_key_exists differs for null values inside arrays—pick the helper that matches your intent.

strstr() vs stristr()

strstr($haystack, $needle, before_needle) finds the first occurrence; stristr() is the case-insensitive variant. PHP 8+ changes needle semantics—pass explicit strings and watch empty-needle edge cases.

for vs foreach

for loops suit numeric iteration or complex exit conditions. foreach ($arr as $k => $v) walks arrays (and objects implementing Traversable / Iterator). foreach copies arrays by value unless you use reference syntax—mind performance on huge structures.