Learn PHP Programming
Master PHP programming from basics to advanced concepts with our comprehensive tutorial series. Perfect for beginners and web developers.
PHP Forms
Forms are the primary way users send data to your server. PHP handles form submissions through the $_GET and $_POST superglobals, but proper validation and security are essential to process that data safely.
GET vs POST Methods
<?php
// GET: Data appears in URL - use for searches, filters, pagination
// URL: search.php?q=php+tutorials&page=2
$query = filter_input(INPUT_GET, 'q', FILTER_SANITIZE_SPECIAL_CHARS) ?? '';
$page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT) ?: 1;
echo "Searching for: " . htmlspecialchars($query) . " (page $page)";
// POST: Data in request body - use for creating/modifying data
// Form data not visible in URL, no length limit
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS);
$password = $_POST['password'] ?? '';
// Process login...
}
?>
GET is for retrieving data — it's bookmarkable, cacheable, and visible in the URL. POST is for submitting data that changes state — it's not cached and has no size limit. Never use GET for sensitive data like passwords.
Complete Form with Validation
<?php
$errors = [];
$success = false;
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// Validate name
$name = trim(filter_input(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS));
if (empty($name) || strlen($name) < 2) {
$errors[] = 'Name must be at least 2 characters.';
}
// Validate email
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
if ($email === false) {
$errors[] = 'Please enter a valid email address.';
}
// Validate message
$message = trim(filter_input(INPUT_POST, 'message', FILTER_SANITIZE_SPECIAL_CHARS));
if (empty($message) || strlen($message) < 10) {
$errors[] = 'Message must be at least 10 characters.';
}
// Process if no errors
if (empty($errors)) {
// Save to database or send email
$success = true;
}
}
?>
<!-- HTML Form -->
<form method="post" action="">
<input type="text" name="name" value="<?= htmlspecialchars($name ?? '') ?>" required>
<input type="email" name="email" value="<?= htmlspecialchars($email ?? '') ?>" required>
<textarea name="message" required><?= htmlspecialchars($message ?? '') ?></textarea>
<button type="submit">Send Message</button>
</form>
Always validate server-side even if you have client-side validation. Use htmlspecialchars() when echoing values back into HTML to prevent XSS. Repopulate fields on error so users don't lose their input.
File Upload with $_FILES
<?php
// HTML: <form method="post" enctype="multipart/form-data">
// <input type="file" name="avatar">
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['avatar'])) {
$file = $_FILES['avatar'];
// Check for upload errors
if ($file['error'] !== UPLOAD_ERR_OK) {
die('Upload failed with error code: ' . $file['error']);
}
// Validate file size (max 2MB)
if ($file['size'] > 2 * 1024 * 1024) {
die('File too large. Maximum size is 2MB.');
}
// Validate file type by MIME (don't trust extension alone)
$allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimeType = finfo_file($finfo, $file['tmp_name']);
finfo_close($finfo);
if (!in_array($mimeType, $allowedTypes)) {
die('Invalid file type. Only JPEG, PNG, and GIF allowed.');
}
// Generate safe filename and move
$ext = pathinfo($file['name'], PATHINFO_EXTENSION);
$safeName = bin2hex(random_bytes(16)) . '.' . $ext;
$destination = __DIR__ . '/uploads/' . $safeName;
if (move_uploaded_file($file['tmp_name'], $destination)) {
echo "File uploaded as: $safeName";
}
}
?>
File uploads require enctype="multipart/form-data" on the form. Always verify the MIME type using finfo (not the file extension), limit file size, and generate random filenames to prevent overwriting and directory traversal attacks.
CSRF Protection
<?php
session_start();
// Generate token on GET request (showing the form)
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
// Verify token on POST request (processing the form)
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$token = $_POST['csrf_token'] ?? '';
if (!hash_equals($_SESSION['csrf_token'] ?? '', $token)) {
http_response_code(403);
die('Invalid CSRF token. Please refresh and try again.');
}
// Token valid - process form safely
unset($_SESSION['csrf_token']); // One-time use
}
?>
<!-- Include token in every form -->
<form method="post">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<!-- other fields -->
</form>
CSRF (Cross-Site Request Forgery) tricks users into submitting forms on your site from malicious pages. A unique token per session ensures the form submission came from your site. Use hash_equals() for timing-safe comparison.
Key Takeaways
- Always validate server-side — client-side validation is for UX, not security.
- Use
htmlspecialchars()when outputting any user-supplied data to HTML to prevent XSS. - Sanitize inputs with
filter_input()and validate them against expected formats and ranges. - Protect forms with CSRF tokens — every state-changing form needs one.
- For file uploads, validate MIME type, limit size, use random filenames, and store outside the web root when possible.
Best Practice
Apply the principle of defense in depth: validate data type, check business rules, sanitize for output context (HTML, SQL, URL), and use CSRF tokens. Each layer catches what others might miss. Frameworks like Laravel handle CSRF and validation automatically — use them in production.
Frequently Asked Questions
PHP Programming Tutorial — Learn PHP from Scratch
PHP (PHP: Hypertext Preprocessor) is the most widely-used server-side scripting language for web development. It powers over 77% of all websites with known server-side languages, including WordPress, Facebook, Wikipedia, and Slack. This comprehensive tutorial series takes you from complete beginner to confident PHP developer with hands-on examples you can run and modify.
Each topic in this tutorial includes multiple runnable code examples with line-by-line explanations, best practice tips, and navigation to the next logical concept. Whether you are learning PHP for the first time or refreshing your knowledge of a specific feature, every page is designed to give you practical, immediately-usable code.
What You Will Learn in This PHP Tutorial
- Basics: Syntax, variables, constants, data types, operators
- Strings & Arrays: Manipulation, searching, sorting, multidimensional arrays
- Control Flow: if/else, switch, for, while, foreach loops
- Functions: Parameters, return values, scope, anonymous functions
- Superglobals: $_GET, $_POST, $_SESSION, $_COOKIE, $_SERVER
- Forms: Handling user input, validation, file uploads
- File Handling: Reading, writing, and manipulating files
- Sessions & Cookies: User state management across requests
- OOP: Classes, objects, inheritance, interfaces, traits
- Error Handling: try/catch, custom exceptions, error reporting
- Database: MySQL connection, CRUD operations, prepared statements
- Security: SQL injection prevention, XSS, CSRF, password hashing
Why Learn PHP in 2026?
Despite the rise of Node.js and Python, PHP remains the backbone of web development for compelling reasons:
- Job market demand: Thousands of PHP developer positions available globally. WordPress alone powers 43% of all websites and requires PHP.
- Framework ecosystem: Laravel (the most popular web framework), Symfony, CodeIgniter, and Slim provide professional-grade tooling.
- Low barrier to entry: Shared hosting supports PHP out of the box. No complex server configuration needed to get started.
- PHP 8.x improvements: JIT compiler, named arguments, match expressions, union types, fibers — modern PHP is fast and expressive.
- CMS dominance: WordPress, Drupal, Joomla, Magento, WooCommerce all run on PHP. Knowing PHP gives you access to this entire ecosystem.
- Freelancing opportunities: PHP projects dominate freelance platforms. Many small businesses need WordPress customisation and PHP-based solutions.
PHP Version History (Key Milestones)
| Version | Year | Key Features |
|---|---|---|
| PHP 5.0 | 2004 | Full OOP support, PDO, improved XML |
| PHP 7.0 | 2015 | 2x speed improvement, scalar type declarations, null coalesce operator |
| PHP 7.4 | 2019 | Arrow functions, typed properties, preloading |
| PHP 8.0 | 2020 | JIT compiler, named arguments, match expression, union types, attributes |
| PHP 8.1 | 2021 | Enums, fibers, readonly properties, intersection types |
| PHP 8.2 | 2022 | Readonly classes, DNF types, deprecate dynamic properties |
| PHP 8.3 | 2023 | Typed class constants, json_validate(), #[Override] attribute |
How to Get Started with PHP
- Install a local environment — download XAMPP (Windows/Mac/Linux) or Laravel Valet (Mac). This gives you Apache, PHP, and MySQL in one package.
- Create your first file — make a file called
index.phpin your web root and add:<?php echo "Hello, World!"; ?> - Run it in browser — start Apache and visit
http://localhost/index.phpto see output. - Follow this tutorial series — work through each topic in order, running every example on your local setup.
- Build a project — after completing basics through OOP, build a simple CRUD app (todo list, blog, or contact form) to solidify your knowledge.
Frequently Asked Questions
Basic HTML knowledge is helpful since PHP is often embedded in HTML pages. You do not need to be an HTML expert — understanding tags, forms, and page structure is enough to start.
Yes. PHP and React serve different roles. React is frontend; PHP is backend. Laravel (PHP) is often used as the API backend for React frontends. WordPress (PHP) powers 43% of the web. The job market for PHP developers remains strong.
Laravel is the most popular and has the best documentation, ecosystem, and community. Learn core PHP first (this tutorial), then move to Laravel. Other options: Symfony (enterprise), CodeIgniter (lightweight), Slim (microframework for APIs).
Yes. Use our free online code editors to write and execute PHP code directly in your browser. This is perfect for learning and testing snippets without local setup.
Who Is This Tutorial For?
Complete beginners who want to learn their first programming language for web development. Self-taught developers filling gaps in their PHP knowledge. Students preparing for web development courses or exams. WordPress developers who want to understand the PHP underneath themes and plugins. Backend developers from other languages (Python, Node.js) learning PHP for a new project. Anyone preparing for PHP developer job interviews.
Master PHP Programming with Our Comprehensive Tutorial
Our PHP programming tutorial is designed to take you from a complete beginner to an advanced PHP developer. Whether you're looking to build dynamic websites, create web applications, or start a career in web development, this tutorial series provides everything you need to succeed.
What You'll Learn
- PHP fundamentals and syntax
- Variables, data types, and operators
- Control structures and loops
- Functions and arrays
- Object-oriented programming
- Database integration with MySQL
- Web forms and user input handling
- Security best practices
PHP remains one of the most popular programming languages for web development, powering millions of websites worldwide. Our tutorial includes practical examples, real-world projects, and best practices to ensure you learn not just the syntax, but how to write clean, efficient, and secure PHP code.