Hi The new year has come But now, let’s focus on coding - new, fresh topic today
Plenty of data consists of text - that’s why we have strings Their presence allows us to modify and just do whatever the hell we want to with it
That’s it for the intro - let’s see what we will learn today
- How to define strings
- Comparing strings
- Obtaining first/last letter of a string
- Joining strings
- Validating strings (like e-mail)
- Passwords and hashing
So, let’s start coding
Defining
To define a string, we do exactly the same thing as always - add $
to the beginning of the name, and assign some value
$myString = "Wow, I am a string";
And now, should we define it with ""
or with '
? Both are syntaxually correct
But does it matter? Yes, it does.
If we define/output a string with double-quotes - we can put a variable inside and it will output it’s contents
For ex.
$var = "Hello";
echo "$var World";
// Hello World
But if we try to display it with single-quotes ('
) - it will look like this
$var = "Hello";
echo '$var World';
// $var World
You see? Even though we declared $var
, it didn’t inject it’s contents inside echo
statement - and the result was not what we wanted
Comparing
To compare, we have 2 options
==
operator- Using
strcmp()
function
And there is a catch, while ==
returns us boolean value (true or false):
$str1 = "hello";
$str2 = "hello";
var_dump($str1 == $str2);
// bool(true)
strcmp()
gives us integer
$str1 = "hello";
$str2 = "hello";
var_dump(strcmp($str1, $str2));
// int(0)
if it returns 0 - strings are the same, keep this in mind while writing if-else statements with strcmp()
if it returns something else - strings are different
Both of these are case-sensitive (So Hello
isn’t the same as hello
)
For case-insensitive comparison, we can use strcasecmp()
function
$str1 = "hello";
$str2 = "Hello";
var_dump(strcasecmp($str1, $str2));
// int(0)
Getting first/last letter
This sounds kind of hard at first, but we don’t really need to break it into array using some loop - instead we can refer to the string like an array
So, to get a first letter from $str1
just try to access it’s field 0
- like this
$str1 = "hello";
echo $str1[0];
// h
Trying to access 1
will give us e
and so on
But if we want to get last letter, how to do we do it? We don’t have to know strings length - just start from the behind with -1
$str1 = "hello";
echo $str1[-1];
// o
-2
would give us l
for example
<!- Tu koniec edycji: Od tąd zaczynasz –>
Strings length
There is a function for getting length of a string - strlen()
$str1 = "hello";
echo strlen($str1);
// 5
Converting string to array
Let’s suppose we get a string with some values, separated by commas
$str1 = "1, 2, 3, 4, 5, 6";
How can we convert it to array, like [1, 2, 3, 4, 5, 6]
Luckily, no need for custom code - explode()
is here
$str1 = "1, 2, 3, 4, 5, 6";
var_dump(explode(", ", $str1));
// array(6) { [0]=> string(1) "1" [1]=> string(1) "2" [2]=> string(1) "3" [3]=> string(1) "4" [4]=> string(1) "5" [5]=> string(1) "6" }
You see that magic? First argument is a separator, second is array.
If there is explode()
, there is also implode()
- converts array to string
$arr1 = [1, 2, 3, 4, 5, 6];
var_dump(implode(", ", $arr1));
// string(16) "1, 2, 3, 4, 5, 6"
Joining 2 strings
To join 2 string we use .
operator between them
So, if we have these 2 strings
$str1 = "Hello ";
$str2 = "World!";
We can concatenate (join them together, another funny word) them with mentioned earlier operator
echo $str1.$str2;
// Hello World!
Validating strings
This part is very important - so focus
There is one unwritten (Or right now written) rule - Never trust data passed by users
So basically, treat every input as potentially harmful - like an attack
But can we defend? Of course, that’s why we should be implementing some security solutions
I think we can divide them into 2 types
- Sanitizing functions
- Validating functions
Sanitation
Sanitizing means - removing/replacing every possibly dangerous character with it’s safe equivalent
There is one cool function, that will perfectly sanitize your string-type input - htmlentities()
It will replace every dangerous character (like <
or >
and so on) with it’s HTML entity
So for example, this code
$str = "A 'quote' is <b>bold</b>";
echo htmlentities($str);
Will output:
A 'quote' is <b>bold</b>
Cool, but what about those quotes? No worries, that’s why it takes second argument - flags
There are bunch of them - the whole list is in docs
The most popular is definitely ENT_QUOTES
- except for <
and >
it will also convert both types of quotes into it’s HTML entities
So now, after treating previous string with this function
echo htmlentities($str, ENT_QUOTES);
We get
// A 'quote' is <b>bold</b>
And for your information, yes this will output normally on the webpage - you will see text as it was in that variable
htmlentities()
also takes third argument - encoding
That’s pretty much, an information for the browser on how characters should be outputted onto your webpage - The most popular, and (almost) always working is UTF-8
- so let’s stick to it
And what about email addresses? Or IP addresses? What if we change something there - If we replace @
in email, we won’t be able to send anything
But, there is a way - with filter_var()
function and SANITIZE
filters
So, for example we have and email to sanitize
$email = "jack@gmail.com";
To do it, we will use FILTER_SANITIZE_EMAIL
filter
$email = "jack@gmail.com";
filter_var($email, FILTER_SANITIZE_EMAIL);
This filter removes all characters except letters, digits and !#$%&’*+-=?^_{|}~@.[] - so everything that is banned in emails
The whole list of sanitizing filters can be found here
Validation
And the second part of making inputs secure - validation
It’s just checking, if types are correct, if format is correct etc.
To check types, we use designated functions - they follow the same pattern is_[type]()
- for example
is_bool($var)
- is $var a boolean value?is_int($var)
- is $var an int value?is_string($var)
- is $var a string?is_array($var)
- is $var an array value?
We can also use another method - filter_var()
, but with VALIDATE
filters now
Let’s say, we have an IP and an email address
$email = "jack@gmail.com";
$ip = "52.200.35.15";
We can validate if they are correct with FILTER_VALIDATE_EMAIL
and FILTER_VALIDATE_IP
if (filter_var($ip, FILTER_VALIDATE_IP)) {
echo "This IP is valid";
}
echo "<br/>";
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "This is valid email";
}
So, as you may have realized - These filters make function return either true
or false
The whole list can be found here - There you can also learn, that with this method we can also validate types of passed data, check it out
There is third option as well - Regular Expressions I won’t dive into it here, as this is a material for a fairly long article
What about passwords? Do we handle them like normal strings? Not really - for a password to be safely stored, we need to hash it.
Passwords and Hashing
Hashing is a method of non-reversible encryption - So you can’t really decode hash. If you want to know more - I’ve wrote a separate article about hashing
But how do we check passwords then?
We hash data passed by users, and compare it with hash from database.
There are many of those, some safer, some less. We should only use the newest ones, as older might be cracked and won’t provide good security measurements
How to we hash password? With password_hash()
function
$pass = "Password123";
echo password_hash($pass, PASSWORD_DEFAULT);
// $2y$10$m5kPJwmckipMn19qRHSNauT0bg.xnuT3mBNJXtJ1CGtIyVUWubVCO
This function will often appear with 2 arguments
- String to hash - here
$pass
- Algorithm -
PASSWORD_DEFAULT
means string will be hashed with default algorithm (Right now it’s bcrypt, but it is designed to be changeable - as old algorithms are cracked and new appear)
This might also take third argument - options Like memory cost or custom salt
What is salt? These are some random characters added to the string, before hashing to make it harder to crack.
You can set your own, static salt. But it’s recommended to leave it as it is, as it makes your passwords more secure
Now, we need to compare those functions - there is designated function called password_verify()
, you don’t need to use ==
$pass = "Password123";
$passwordHash = '$2y$10$m5kPJwmckipMn19qRHSNauT0bg.xnuT3mBNJXtJ1CGtIyVUWubVCO';
var_dump(password_verify($pass, $passwordHash));
// bool(true)
As you see - it takes 2 arguments
- Password in clear text
- Hash
If passwords match - it returns true
If not - false
And that’s how you handle passwords in PHP - we will utilize this later on, in our projects
Conclusion
Thanks for reading. I hope you got the main point of strings, and how to use them. Also, if you have any feedback, that’s what comments are for - I appreciate it all
Check out []other parts of this series](https://wizarddos.github.io/blog/series/php_0_to_hero.html) and my other articles
Again, thanks for reading. See you next time