PHP Reference Book Blog

Every time I was debugging my pages I found myself searching around for this little chunk of code. So, I put in the book so it was always nearby. Since people still search google endlessly, I thought I would provide it here as well. If you wish to see all the PHP errors and warnings in your script, include the following bit of code:

error_reporting(E_ALL);
ini_set('display_errors', '1');

Now, continue to beat your head against your keyboard while you continue to hunt down your missing semicolon or closing parenthesis.

We’ve all seen them:

• \n - new line
• \r - carriage return
• \t - tab
• \b - backspace

But many wonder when to use them or more specifically, why they aren’t working as expected. So let’s address the basic usage and rules.

Rule #1: When using a formatting character in your code, it must be within “double quotations” otherwise it will be taken as a literal backslash and letter.

When do you use it? When writing to a file with fwrite() or file_put_contents(), sending a text email with mail(), or when adding formatting to pre-populated data in the form element <textarea>. Now, notice I made no mention of HTML output directly. While it’s possible to represent new line, tab, carriage return in HTML if it is within the preformatted tags <pre></pre>, in most cases these tags are not present and HTML will ignore these formatting characters.

Rule #2: Not all computer systems obey the formatting characters the same. When using \n (new line), also include a carriage return (\r) character.

So what do you do if you have a paragraph, for instance submitted by a <textarea> form, that is preformatted and want it to display in the HTML with the \n (new line) breaks represented? That’s when you toss the string into the function nl2br(), which changes all \n to the xhtml line break <br />.

Example:

echo nl2br("Hello\n\rWorld\n\r!!!");

Results:

Hello
World
!!!

From the book:

For MySQL security, you can use sprintf() to force user input to have a maximum length and be valid for the structure of your database. Use the precision specifier to automatically parse the string submitted by GET or POST.

sprintf(formatting, inputs [, ...inputs...]

Accepts multiple inputs to be used when specified in formatting

formatting – $string, specific formatting string, explained below
inputs – $scalar(s) to be formatted

Returns a formatted string formatting, using the inputs to dynamically input their values into the formatted string using a preset set of rules, specified below.

The following is the available nomenclature for the formatting input.

---

Every time an input is expected to be used and evaluated as part of the formatted string, it is preceded by a percent sign ( % ), followed by the specifiers/rules:
Note: All specifiers, excluding the type specifier, are optional.

• A sign specifier. Placing a plus sign ( + ) forces negative AND positive signs to be visible (only negative values are specified by default).

• A padding specifier. The default is a space, and does not need to be specified. A zero ( 0 ) can be used as well without any secondary notation. If any other character is to be used, it should be preceded with a single quote ( ‘ ).

• An alignment specifier. The default is right-justified (thus padding is placed on the left of the string). Placing a dash/subtract ( - ) will set it to left-justified.

• A width specifier. This integer determines the minimum length in characters the output should be. When combined with padding, the specified width minus the input’s length determines the number of padded characters that will be added.

• A precision specifier. A period ( . ) followed by an integer, sets the number of decimal places that should be output for a float. If used on a string, it sets a maximum character limit for the output.

• A type specifier:

  • % - a literal percent sign, thus would be written %% to display a percent sign in the formatting string

  • b – the input should be an integer, a binary number is the output.

  • c - the input should be an integer between 0-255, representing the ASCII byte-value. The character represented is output.

  • d – the input should be an integer.

  • e – the input is scientific notation.

  • u – the input is an unsigned decimal number.

  • f – the input is a float (locale aware).

  • F - the input is a float (not locale aware).

  • o – the input is an integer, an octal number is the output.

  • s – the input is a string.

  • x - the input is an integer, a hexadecimal number is the output (with lowercase letters).

  • X - the input is an integer, a hexadecimal number is the output (with uppercase letters).

Examples:

Basic substitution, no optional specifiers

$string = ‘cat’;
$integer = 10;
echo sprintf(”I have %d %s(s)”, $integer, $string);

I have 10 cat(s)

Basic substitution, type specification automatic adjustments

$string = ‘cat’;
$string2 = ‘10 blah’;
echo sprintf(”I have %d %s(s)”, $string2, $string);

I have 10 cat(s)

Using the sign specifier

$string = ‘cat’;
$integer = ‘10′;
echo sprintf(”Dagger has a %+d against %ss”, $integer, $string);

Dagger has a +10 against cats

Using padding and width specifiers (default padding specifier of a space)

$string = ‘cat’; // length, 3 characters
echo ‘<pre>’; // HTML Required to display the formating properly
echo sprintf(”3 spaces added: |%6s”, $string);
// Used padding of 6 characters, 6 – 3 = 3 spaces padded

Pad from line 3 spaces: |   cat

Using padding and width using a zero ( 0 ) for padding

$month = 12;
$day = 1;
$year = 1980;
echo sprintf (” Date: %02d/%02d/%04d.”, $month, $day, $year);
$year = 80;
echo sprintf (” Date: %02d/%02d/%04d.”, $month, $day, $year);

Date: 12/01/1980. Date: 12/01/0080.

Using padding and width using a custom character, the asterisk ( * )

$endofpassword = ‘word’;
$output = sprintf(”Your password: %’*8s”, $endofpassword);
echo $output;

Your password: ****word

Using padding, alignment (left), and width

$endofpassword = ‘word’;
$output = sprintf(”Your password: %’*-8s”, $endofpassword);
echo $output;

Your password: word****

Using the precision specifier

$scientific = 1.2e3;
echo sprintf(”Three decimal places: %.3e”, $scientific);

Three decimal places: 1.200e+3

$float = 1.2e3;
echo sprintf(”Two decimal places: %.2f”, $float);

Two decimal places: 1200.00

$string = ‘Hello World!’;
echo sprintf(”Cut-off after 4 characters: %.4s”, $string);

Cut-off after 4 characters: Hell

See Also:

printf() – prints a formatted string results rather than simply returning them
sscanf() – Parses a string through a formatted string, reverse of sprintf()

(pg. 150)

Book version:

\w - Letter (a-z, A-Z)

Correct version:

\w - Letter, Digit, Underscore [a-zA-Z0-9_]

This is similar to the syntax for alphanumeric: [:alnum:]

require(), require_once(), include(), include_once()

(pgs. 31-32)

Throughout the noted pages and scattered in a few other places, the above four are referred to as functions, when technically they are considered language constructs. While minor, it should still be clarified. All the functionality and examples are accurate, just some terminology clarifications.

(pgs. 124-125)

When describing the function mysql_real_escape_string(), the following note was included:

Note: Performs the same functionality as addslashes().

While they are practically identical in their behavior, this is an oversimplification of the extra strength of mysql_real_escape_string(). At this point, I will pass on the following blog post that provides some extra insight into the comparison of the two variables:addslashes() Versus mysql_real_escape_string() by Chris Shiflett. I was not previously aware of this difference and security loophole.

(pg. 33)

The opening sentence for the Global Variables chapter reads as follows:

While some global variables can be created through the use of
define(), some are reserved because of a special function, giving access to
different types of data.

Technically, the define() function creates a constant that is available globally, as is described properly as part of the function on page 11. Therefore, the sentence would be better phrased as follows:

While some constants can be made available globally through the use of
define(), some are reserved because of a special function, giving access to
different types of data.

(pg. 33)

The description in the book reads:

$_SERVER['QUERY_STRING'] – The current scripts path

This description is the same as the entry above, because I made a bad edit (copy/paste for formatting). The correct description would be as follows:

$_SERVER['QUERY_STRING'] – The current query string (without the question mark)

The example is correct and accurate, and luckily this is painfully obvious thanks to the name of the key QUERY_STRING in the $_SERVER array.

Just a quick hello to let you know this blog is now live. I’ll be posting a few corrections and clarifications here shortly, so stay tuned! If you haven’t already, feel free to read the about page for more information about this blogs purpose in relation to the book (or to find out more about the book).