Section 7.2. Handling Non-English Characters

7.2. Handling Non-English Characters

ASCII only allows a set of 256 characters to be used to describe the alphanumeric characters available to print. That range, 0 to 255, is used because it is the size of a byte8 ones and zeros, in computing terminology. Languages such as Chinese, Korean, and Japanese have special characters in them, which means you need more than 256 characters, and therefore need more than one byte of spaceyou need a multibyte character. The multibyte character implementation in PHP is capable of working with Unicode-based encodings, such as UTF-8; however, at this time, Unicode support in PHP is very weak. Full Unicode support is currently one of the key goals for future releases of PHP.

Dealing with these complex characters is slightly different from working with normal characters, because functions like substr( ) and strtoupper( ) expect precisely one byte per character and will corrupt a multibyte string. Instead, you should use the multibyte equivalents of these functions, such as mb_strtoupper( ) instead of strtoupper( ), mb_ereg_match( ) rather than ereg_match( ), and mb_strlen( ) rather than strlen( ). The parameters required for these functions are the same as their originals, except that most accept an optional extra parameter to force specific encoding.

If there is an existing script that you'd like to multibyte-enable, there's a special php.ini setting you can change: mbstring.func_overload. By default, this is set to 0, which means functions behave as you would expect them to. If you set it to 1, calling the mail( ) function gets silently rerouted to the mb_send_mail( ) function. If you set it to 2, all the functions starting with "str" get rerouted to their multibyte partners. If you set it to 4, all the "ereg" functions get rerouted. You can combine these together as you please by simply adding themfor example, for "mail" and "str" rerouting, you add 1 and 2, giving 3, so you set mbstring.func_overload to 3 to overload these two. To overload everything, set it to 7, which is 1 ("mail") + 2 ("str") + 4 ("ereg").

     number abs ( number num )

The abs( ) function returns the absolute value of the parameter you pass to it. By absolute, I mean that it leaves positive values untouched, and converts negative values into positive values. Thus:

     abs(50); // 50     abs(-12); // 12

You can either send a floating-point number or an integer to abs( ), and it will return the same type:

     abs(50.1); // 50.1     abs(-12.5); // 12.5

The abs( ) function is helpful for handling user input, such as "How many t-shirts would you like to buy?" While you could write code to check for values equal to or under 0, and issue warnings if appropriate, it is easier to put all quantity input through abs( ) to ensure it is positive.

     float acos ( float num )

The acos( ) function calculates the arc cosine value of the number provided as its only parameter, essentially reversing the operation of cos( ). The return value is in radiansyou should use the rad2deg( ) to convert radians to degrees.

     $acos1 = acos(0.4346);     $acos2 = acos(cos(80));

     string addslashes ( string str )

There are many situations where single quotes ('), double quotes ("), and backslashes (\) can cause problemsdatabases, files, and some protocols require that you escape them with \, making \', \", and \\ respectively. In these circumstances, you should use the addslashes( ) function, which takes a string as its only parameter and returns the same string with these offending characters escaped so that they are safe for use.

In php.ini, there is a magic_quotes_gpc option that you can set to enable "magic quotes" functionality. If enabled, PHP will automatically call addslashes( ) on every piece of data sent in from users, which can sometimes be a good thing. However, in reality it is often annoyingparticularly when you plan to use your variables in other ways.

Note that calling addslashes( ) repeatedly will add more and more slashes, like this:

     $string = "I'm a lumberjack and I'm okay!";     $a = addslashes($string);     $b = addslashes($a);     $c = addslashes($b);

After running that code, you will have the following:

     $a: I\'m a lumberjack and I\'m okay!     $b: I\\\'m a lumberjack and I\\\'m okay!     $c: I\\\\\\\'m a lumberjack and I\\\\\\\'m okay!

The reason the number of slashes increases so quickly is because PHP will add a slash before each single and double quote, as well as slashes before every existing slash.

The addslashes( ) function has a counterpart, stripslashes( ), that removes one set of slashes.

If you can, use a database-specific escaping function instead of addslashes( ). For example, if you're using MySQL, use mysql_escape_string( ).

     float asin ( float num )

The asin( ) function calculates the arc sine value of the number provided as its only parameter, essentially reversing the operation of sine( ). The return value is in radiansyou should use the rad2deg( ) to convert radians to degrees.

     $asin1 = asin(0.4346);     $asin2 = asin(sin(80));

     float asin ( float num )

The atan( ) function calculates the arc tangent value of the number provided as its only parameter, essentially reversing the operation of tan( ). The return value is in radiansyou should use the rad2deg( ) to convert radians to degrees.

     $atan1 = atan(0.4346);     $atan2 = atan(tan(80));

     string base_convert ( string num, int from_base, int to_base )

It is impractical for PHP to include separate functions to convert every base to every other base, so they are grouped into one function: base_convert( ). This takes three parameters: a number to convert, the base to convert from, and the base to convert to. For example, the following two lines are identical:

     print decbin(16);     print base_convert("16", 10, 2);

The latter is just a more verbose way of saying "convert the number 16 from base 10 to base 2." The advantage of using base_convert( ) is that we can now convert binary directly to hexadecimal, or even crazier combinations, such as octal to duodecimal (base 12) or hexadecimal to vigesimal (base 20).

The highest base that base_convert( ) supports is base 36, which uses 0-9 and then A-Z. If you try to use a base larger than 36, you will get an error.

     number bindec ( string binary_num )

The bindec( ) function converts a binary number into a decimal number. It takes just one parameter, which is the number to convert. For example:

     print decbin("10000"); // 16

     mixed call_user_func ( function callback [, mixed param1 [, mixed ...]] )

The call_user_func( ) function is a special way to call an existing PHP function. It takes the function to call as its first parameter, with the parameters to pass into the variable function as multiple parameters to itself. For example:

     $func = "str_replace";     $output_single = call_user_func($func, "monkeys", "giraffes", "Hundreds and     thousands of monkeys\n");

In that example, "monkeys", "giraffes", and "Hundreds of thousands of monkeys" are the second, third, and fourth parameters to call_user_func( ), but get passed into str_replace( ) (the function in $func) as the first, second, and third parameters.

An alternative to this function is call_user_func_array( ) , where the parameters to be passed are grouped in an array.

     mixed call_user_func_array ( function callback, array params )

The call_user_func_array( ) function is a special way to call an existing PHP function. It takes a function to call as its first parameter, then takes an array of parameters as its second parameter.

     $func = "str_replace";     $params = array("monkeys", "giraffes", "Hundreds and thousands of monkeys\     n");     $output_array = call_user_func_array($func, $params);     echo $output_array;

     float ceil ( float num )

The ceil( ) function takes a floating-point number as its only parameter and rounds it to the nearest integer above its current value. If you provide an integer, nothing will happen. For example:

     $number = ceil(11.9); // 12     $number = ceil(11.1); // 12     $number = ceil(11); // 11

     string chr ( int ascii_val )

To convert an ASCII number to its character equivalent, use the chr( ) function. This takes an ASCII value as its parameter and returns the character equivalent, if there is one.

     $letter = chr(109);     print "ASCII number 109 is equivalent to $letter\n";

That would output "ASCII number 109 is equivalent to m". The ord( ) function does the opposite of chr( ): it takes a string and returns the equivalent ASCII value.

     int connection_status ( void )

The connection_status( ) function takes no parameters and returns 0 if the connection is live and execution is still taking place; 1 if the connection is aborted; 2 if the connection has been aborted; and 3 if the connection has been aborted and subsequently timed out.

The last situation is only possible if ignore_user_abort(true) has been used, and the script subsequently timed out. The values 0, 1, 2, and 3 evaluate to the constants CONNECTION_NORMAL, CONNECTION_ABORTED, CONNECTION_TIMEOUT, and CONNECTION_ABORTED | CONNECTION_TIMEOUT (a bitwise OR of the previous two).

This script can tell the difference between shutdown occurring because the script finished or because script timeout was reached:

     function say_goodbye( ) {             if (connection_status( ) =  = CONNECTION_TIMEOUT) {                     print "Script timeout!\n";             } else {                     print "Goodbye!\n";             }     }     register_shutdown_function("say_goodbye");     set_time_limit(1);     print "Sleeping...\n";     sleep(2);     print "Done!\n";

     float cos ( float num )

The cos( ) function calculates the cosine value of the number provided as its only parameter. The parameter should be passed as radiansyou should use deg2rad( ) to convert degrees to radians.

     $cos1 = cos(10);     $cos2 = cos(deg2rad(80));

     mixed count_chars ( string str [, int mode] )

The count_chars( ) function takes a string parameter and returns an array containing the letters used in that string and how many times each letter was used.

Using count_chars( ) is complicated by the fact that it actually returns an array of exactly 255 elements by default, with each number in there evaluating to an ASCII code. You can work around this by passing a second parameter to the function. If you pass 1, only letters with a frequency greater than 0 are listed; if you pass 2, only letters with a frequency equal to 0 are listed. For example:

     $str = "This is a test, only a test, and nothing but a test.";     $a = count_chars($str, 1);     print_r($a);

That will output the following:

     Array ( [32] => 11 [44] => 2 [46] => 1 [84] => 1 [97] => 4 [98] => 1 [100]     => 1 [101] => 3 [103] => 1 [104] => 2 [105] => 3 [108] => 1 [110] => 4 [111]     => 2 [115] => 5 [116] => 8 [117] => 1 [121] => 1)

In that output, ASCII codes are used for the array keys, and the frequencies of each letter are used as the array values.

     string date ( string date_format [, int timestamp] )

Users like to have their dates in a variety of formats, so PHP lets you convert timestamps into different types of strings using the date( ) function.

You can send two parameters to date( ), with the second one being optional, as with strtotime( ). Parameter one is a special string containing formatting codes for how you want the timestamp converted, and parameter two is the timestamp you want to convert. If you do not supply the second parameter, PHP assumes you want to convert the current time.

Parameter one is tricky: it is a string of letters from a predefined list of 31 possibles. You can use other characters in the string, and these are copied directly into the formatted date. If you are trying to put words into the date format that you do not want to be converted into their date equivalent, you need to escape them with a backslash, \. To make things even more confusing, if your escaped letter is an existing escape sequence, then you need to escape it again!

The complete list of date format characters is shown in Table 7-1. Be careful, as they are case-sensitive!

This first example of date( ) is very basic and prints out the current time in 24-hour clock format:

     print date("H:i");

It's possible to mix the output of date( ) with a text string to get a natural-looking statement, like this:

     print "The day yesterday was " . date("l", time( ) - 86400);

Note that on very specific occasions (particularly when daylight savings time kicks in), the above script will be incorrect. If you need absolute precision, either check for DST or subtract a whole day using mktime( ).

This next example outputs the date in the format of 31st of August 2005. Notice that we have the word of in the date format, and it has been passed through to the output instead of being converted. The reason for this is that lowercase O and lowercase F do not have any formatting purpose in the date function (although this may be changed in the future), so they are just copied straight into output:

     print date("jS of F Y");

In the next example, our date( ) function is embedded between two other strings, which makes for particularly neat output:

     print "My birthday is on a " . date("l", strtotime("22 Dec 2004")) . " this     year.";

     string decbin ( int num )

The decbin( ) function converts a decimal number into a binary number. It takes just one parameter, which is the number to convert. For example:

     print decbin(16); // "10000"

     string dechex ( int num )

The dechex( ) function converts a decimal number into a binary number. It takes just one parameter, which is the number to convert. For example:

     print dechex(232); // "e8"

     string decoct ( int num )

The decoct( ) function converts a decimal number into an octal number. It takes just one parameter, which is the number to convert. For example:

     print decoct(19); // "23"

     float deg2rad ( float num )

The deg2rad( ) function converts degrees to radians. Radians are calculated as being $degrees multiplied by the mathematical constant pi, then divided by 180.

     $sin1 = sin(deg2rad(80));

     void exit ( [mixed status] )

The die( ) function terminates execution of a script, and is an alias of the exit( ) function.

     $db = open_database( ) OR die("Couldn't open database!");

     int dl ( string extension_name )

Use the dl( ) function to load an extension at runtime, passing the name of the extension to load as its only parameter. Note that there are cross-platform considerations to using dl( ) that are discussed later. The downside to using dl( ) is that it needs to dynamically load and unload the extension each time your scripts runthis ends up being a great deal slower than running PHP as a web server module, where the extensions are loaded just once and kept in memory.

One last warning: using dl( ) with multithreaded web servers (such as Apache 2) will simply not work; you will need to use the static method of editing your php.ini file and restarting the server.

Here is an example of dl( ) on both Windows and Unix:

     dl('php_imap.dll'); // Windows     dl('imap.so'); // Unix

     bool empty ( mixed var )

The empty( ) function returns true if its parameter has a false value. This is not the same as the isset( ): if a variable was set and had a false value (such as 0 or an empty string), empty( ) would return false, and isset( ) would return true.

     $var1 = "0";     $var2 = "1";     $var3 = "";     if (empty($var1)) print "Var1 empty\n";     if (empty($var2)) print "Var2 empty\n";     if (empty($var3)) print "Var3 empty\n";     if (empty($var4)) print "Var4 empty\n";

That would print "Var1 empty", "Var3 empty", then "Var4 empty".

     string escapeshellcmd ( string command )

The escapeshellcmd( ) function is used to escape special characters in shell commands that may otherwise trick your script into running malicious code. If you ever plan to allow users to execute a program on your serverin itself a major security riskyou should always pass their variables through this function first. For example:

     $_GET["search"] = escapeshellcmd($_GET["search"]);     passthru("grep {$_GET["search"] /var/www/meetinglogs/*");

     mixed eval ( string code )

You can execute the contents of a string as if it were PHP code using the eval( ) function. This takes just one string parameter and executes that string as PHP. For example:

     $str = '$i = 1; print $i;';     eval($str);

That script assigns two PHP statements to $str, then passes $str into eval( ) for execution.

The eval( ) function allows you to store your PHP code in a database, or to build it at runtime, which gives you a lot more flexibility.

If you are considering using eval( ), bear in mind these words from the creator of PHP, Rasmus Lerdorf: "If eval( ) is the answer, you're almost certainly asking the wrong question." That is, you should be able to achieve your goals without resorting to eval( ).

     string exec ( string command [, array &output [, int &return_val]] )

The exec( ) function runs an external program, specified in the first parameter. It sends back the last line outputted from that program as its return value, unlike passthru( ), which prints out all the output the program generates.

     print exec("uptime");

The uptime command is available on most Unix systems and prints out just one line of outputperfect for exec( ).

Calling exec( ) is usually preferred when the output of your program is irrelevant, whereas passthru( ) automatically prints your output.

If you pass a second and third parameter to exec( ), the output of the command will be put into parameter two as an array with one line per element, and the numeric exit status of the command will be put into parameter three. Similarly, if you pass a second parameter to passthru( ), it will be filled with the return value of the command.

For example:

     exec("dir", $output, $return);     echo "Dir returned $return, and output:\n";     var_dump($output);

That example should work fine on Windows, as well as on many versions of Unix.

PHP's exec( ) is more like the Perl execution operator ('...') than the Perl exec( ) function.

     void exit ( [mixed status] )

The exit( ) function takes just one optional parameter and immediately terminates execution of the script. If you pass it a parameter, this is used as the script exit code. If it is a string, it is printed out. The function die( ) is an alias of exit( ) and works the same way.

Use exit( ) wherever you need to end a script with no further work. For example:

     if ($password != "frosties") {             print "Access denied.";             exit( ); // note: ( ) is optional     }

The exit( ) function takes a maximum of one parameter, which can either be a program return number or a string. Many programs return numbers so that they can be chained to other programs and their output properly judged. In this case, 0 usually means "Everything went OK," and everything else means "Something went wrong." Using exit( ) with a string causes PHP to output the string and then terminate the scripta behavior commonly used by programmers with exit( )'s alias, die( ), like this:

     do_some_func( ) OR die("do_some_func( ) returned false!");

In that situation, do_some_func( ) will be called and, if it returns false, die( ) will be called to terminate the script.

     float floor ( float num )

The floor( ) function takes a floating-point number as its only parameter and rounds it to the nearest integer below its current value. If you provide an integer, nothing will happen. For example:

     $number = floor(11.1); // 11     $number = floor(11.9); // 11     $number = floor(11); // 11

The floor( ) function converts a positive floating-point number to an integer in the same way as typecasting, except typecasting is faster. This is not true for negative numbers, where the two will produce different results because floor( ) rounds down (e.g., -3.5 becomes -4) and typecasting knocks off the non-integer data (e.g., -3.5 becomes -3).

     bool function_exists ( string function_name )

If you're working with functions that are not part of the PHP core (i.e., that need to be enabled by users), it's a smart move to use the function_exists( ) function. This takes a function name as its only parameter and returns true if that function (either built-in or one you've defined yourself) is available for use. It only checks whether the function is available, not whether it will workyour system may not be configured properly for some functions. Here is how it looks in code:

     if (function_exists("imagepng")) {             echo "You have the GD extension loaded.";     } else {             echo "Can't find imagepng( ) - do you have GD loaded?";     }

If you ever want to know whether you have a function available to you, use the function_exists( ) function. This takes one string parameter that is the name of a function and returns true if the function exists or false if it does not. Many people use function_exists( ) to find out whether they have an extension available, by calling function_exists( ) on a function of that extension. However, this is accomplished more easily with the extension_loaded( ) function, covered in the next section.

     array get_extension_funcs ( string extension_name )

The get_extension_funcs( ) function takes the name of an extension and returns an array of the functions available inside that extension. This is often combined with a call to get_loaded_extensions( ) , like this:

     $extensions = get_loaded_extensions( );     foreach($extensions as $extension) {             echo $extension;             echo ' (', implode(', ', get_extension_funcs($extension)), ')<br/>';     }

Breaking that down, it retrieves the names of all extensions currently loaded and cycles through them using a foreach loop. For each extension, it calls get_extension_funcs( ) to get the functions made available by that extension, then implodes that array into a string separated neatly by commas, then surrounds the whole thing in parentheses. For example, if you have the wddx extension installed, you should see the following line somewhere in your output:

     wddx (wddx_serialize_value, wddx_serialize_vars, wddx_packet_start, wddx_     packet_end, wddx_add_vars, wddx_deserialize)

     array get_loaded_extensions ( void )

The get_loaded_extensions( ) function takes no parameters and returns an array of the names of all extensions you have loaded.

     $extensions = get_loaded_extensions( );     echo "Extensions loaded:\n";     foreach($extensions as $extension) {             echo " $extension\n";     }

If you just want to check whether a specific extension is loaded or not, without having to go through the fuss of sifting through the return value of get_loaded_extensions( ), you can use the simple shortcut function extension_loaded( ), which takes an extension name as its only parameter and returns true if it has loaded or false if not.

     number hexdec ( string hex_string )

The hexdec( ) function converts a hexadecimal number into a decimal number. It takes just one parameter, which is the number to convert. For example:

     print hexdec(e8); // 232

     string html_entities ( string html [, int options [, string charset]] )

The html_entities( ) function converts characters that are illegal in HTML, such as &, <, and ", into their safe equivalents: &amp;, &lt;, and &quot;, respectively.

     $flowerpot_men = "Bill & Ben";     $safe_flowerpots = htmlentities($flowerpot_men);     // it's now "Bill & Ben"

This method of encoding is often referred to as &-escaping. You can reverse this conversion using the html_entity_decode( ) function.

     string html_entity_decode ( string html [, int options [, string charset]] )

The html_entity_decode( ) function converts an &-escaped string into its original format, reversing the operation of html_entities( ).

     $flowerpot_men = "Bill & Ben";     $safe_flowerpots = htmlentities($flowerpot_men);     // it's now "Bill & Ben"     $unsafe_flowerpots = html_entity_decode($safe_flowerpots);     // back to "Bill & Ben"

     int ignore_user_abort ( [bool enable] )

The ignore_user_abort( ) function allows your script to carry on working after the user has cancelled her request. Passing true as its only parameter will instruct PHP that the script is not to be terminated, even if your end user closes her browser, has navigated away to another site, or has clicked Stop. This is useful if you have some important processing to do and you do not want to stop it even if your users click cancel, such as running a payment through on a credit card. You can also pass false to ignore_user_abort( ), thereby making PHP exit when the user closes the connection.

     ignore_user_abort(true);     // carry on if user clicks Stop in their browser

     string ini_get ( string varname )

The ini_get( ) function allows you to read a value from the php.ini file without altering it. It takes the name of the value to read as its only parameter and returns the value. Boolean values returned by ini_get( ) should be typecasted as integer; otherwise, false values will be returned as an empty string. For example:

     print "Display_errors is turned on: ";     print (int) ini_get("display_errors");

Many numerical values in php.ini are represented using M for megabyte and other shortcuts. These are preserved in the return value of ini_get( ), which means you should not rely on these values to be plain numbers.

     string ini_set ( string varname, string value )

The ini_set( ) function allows you to change system attributes that affect the way your script is executed. Changes only affect the current script, and will revert back when the script ends.

To use ini_set( ), pass it the value you want to change as its first parameter, and the new value to use as its second parameter. If it is successful, it will return the previous value. For example:

     print ini_set("max_execution_time", "300") . "<br />";     print ini_set("display_errors", "0") . "<br />";     print ini_set("include_path", "/home/paul/include") . "<br />";

Many variables cannot be changed using ini_set( ), because they have already been used. For example, magic_quotes_gpc decides whether PHP should automatically send all HTTP input through the addslashes( ) function before giving it to you. Although you can change this using ini_set( ), it is pointless to do so: it will be changed after PHP has already modified the variables.

     bool is_callable ( mixed var [, bool check_syntax_only [, string &proper_     name]] )

The is_callable( ) function takes a string as its only parameter and returns TRue if that string contains a function name that can be called using a variable function. For example:

     $func = "sqrt";     if (is_callable($func)) {             print $func(49);     }

     bool isset ( mixed var [, mixed var [, ...]] )

The isset( ) function returns true if its parameter has already been set in your script. This is not the same as the empty( ): if a variable was set and had no value, isset( ) would return TRue, and empty( ) would return false.

To check for "variable not set," use the not operator !, as in if (!isset($foo)).

     string ltrim ( string str [, string trim_chars] )

The ltrim( ) function works like the normal trim( ), except it only trims whitespace from the lefthand side of a string.

     $string = ltrim(" testing ");     // $string is "testing "

     string md5 ( string str [, bool raw_output] )

Although the sha1( ) function is recommended for checksumming data securely, another popular algorithm is MD5, where the "MD" stands for Message Digest. The md5( ) function produces a data checksum in exactly the same way as sha1( ); the difference is that it is only 32-bytes long. Because sha1( ) is longer, it is less likely to have a "collision"a situation where two different strings share the same checksum. However, md5( ) has a slight speed advantage. Unless you're trying to serve your website from a 386 or have been asked to use a particular algorithm, stick with sha1( ).

Using md5( ) is the same as using sha1( ):

     $md5hash = md5("My string");     print $md5hash;

Note that if you are thinking that having fewer bits in MD5 makes it less secure, you are correctbut only just. An MD5 checksum is 32 bytes long, which is equal to 128 bits. That is, an MD5 checksum can be made up of 3.402823669209384634-6337460743177e+38 different possibilities, more commonly referred to as 2 to the power of 128. This an enormous number of varieties, and it is quite secure for most purposes.

     mixed microtime ( [bool float_output] )

The microtime( ) function returns a highly accurate reading of the current time. When called without any parameters, this returns the current system time in seconds and microseconds, ordered microseconds first. For example: 0.82112000 1174676574. If you pass true to microtime( ), PHP will return the time in the more useful format of seconds.microseconds, like this: 1174676587.5996

When using microtime( ), keep in mind that the return value is a floating-point number. There is a setting in your php.ini file called precision that sets the number of significant digits to show in floating-point numbers, which means your return value from microtime( ) may not be as precise as you want. Above, for example, you can see we only have four decimal places returnedthis is because php.ini defaults precision to 14 significant digits, and there are 10 digits before the decimal place.

If you increase the value of precision to 18 and run microtime( ) again, you will get results that are more accurate: 1174677004.8997819.

     int mktime ( [int hour [, int minute [, int second [, int month     [, int day [, int year [, int is_dst]]]]]]] )

It's common practice to store year, month, and day in separate variables in order to make comparison easier, and the mktime( ) function is used to reassemble the components into one Unix timestamp.

Of all the functions in PHP, this one has the most unusual parameter order: hour, minute, second, month, day, year, Is_Daylight_Savings_Time. Note that the hour should be in 24-hour clock time.

So, to pass in 10:30 p.m. on the 20th of June 2005, you would use mktime( ) like this:

     $unixtime = mktime(22, 30, 0, 6, 20, 2005, -1);

The only parameter that might not make sense is the last one, which is where you tell PHP whether daylight savings time (DST) should be in effect. If this seems odd to yousurely PHP should know whether DST was in effect?consider the difficulties there are in calculating it. Each country enters DST at its own time, with some countries even having various times inside itself. Other countries, such as Germany, have only been using the DST system since 1980, which further complicates the matter. So, PHP gives you the option: pass 1 as the last parameter to have DST on, pass 0 to have it off, and pass -1 to let PHP take its best guess.

Using mktime( ) is a great way to do date arithmetic, as it will correct crazy dates quite well. For example, if we wanted to add 13 months to the function call above without having to figure out the new settings, we could just add 13 to the month parameter (currently 6), like this:

     $unixtime = mktime(10, 30, 0, 19, 20, 2005, -1);

Clearly there are not 19 months in the year, so PHP will add one to the year value, subtract 12 from the months value, and calculate the date from there. Similarly you could add 9990 to the hours value and PHP will jump ahead by 416 days.

All the parameters to mktime( ), if less than 10, should not be expressed with a leading zero. The reason for this is that numbers with a leading zero are interpreted by PHP as being octal numbers, and this is likely to cause unforeseen results.

     int mt_rand ( [int min, int max] )

The mt_rand( ) function returns random numbers, similar to the rand( ). However, it uses the Mersenne Twister algorithm to generate "better" random numbers (i.e., more random), and is often preferred.

If you supply no parameters, mt_rand( ) will return a number between 0 and mt_getrandmax( ). If you supply it with two parameters, mt_getrandmax( ) will use those as the upper and lower limits for the random number it generates. The limits are inclusive: if you specify 1 and 3, your random number could be 1, 2, or 3.

     $mtrand = mt_rand( );     $mtrandrange = mt_rand(1,100);

The maximum value that can be generated by mt_rand( ) varies depending on the system you use, but on both Windows and Unix, the default is 2,147,483,647.

     string nl2br ( string str )

The nl2br function inserts a HTML line break (<br />) before all new line characters. You should note that it does not replace the line breaksthe \n breaks are left intact. For example:

     $mystr = "This is a test\nYes it is.";     $brstr = nl2br($mystr);     // set to "This is a test<br />\nYes it is."

     string number_format ( float num [, int decimals     [, string decimal_point, string thousands_sep]] )

The number_format( ) function rounds numbers and adds commas as a thousands separator. You can pass it either one, two, or four parameters:

• number_format($n) rounds $n to the nearest whole number and adds commas in between thousands. For example:

       $total = 12345.6789;     echo "Total charge is \$", number_format($total), "\n"; 

  
  

  That will output Total charge is $12,346, because it rounds up to the nearest decimal place.

• number_format($n,$p) rounds $n to $p decimal places, adding commas between thousands. For example:

       echo "Total charge is \$", number_format($total, 2), "\n"; 

  
  

  This time the output is 12,345.68, as it has been rounded to two decimal places.

• number_format($n, $p, $t, $d) rounds $n to $p decimal places, using $t as the thousands separator and $d as the decimal separator. For example:

       echo "Total charge is ", number_format($total, 2, ".", ","), " Euros"; 

  
  

  The output is now 12.345,68, which swaps the period and comma, as is the norm in many European countries.

     number octdec ( string octal_string )

The octdec( ) function converts an octal number into a decimal number. It takes just one parameter, which is the number to convert. For example:

     print decoct("23"); // 19

     int ord ( string str )

The ord( ) function takes a string and returns the equivalent ASCII value. For example:

     $mystr = "ASCII is an easy way for computers to work with strings\n";     if (ord($mystr{1}) =  = 83) {             print "The second letter in the string is S\n";     } else {             print "The second letter is not S\n";     }

That code should output The second letter in the string is S. The chr( ) function does the opposite of ord( ): it takes an ASCII value and returns the equivalent character.

     void parse_str ( string str [, array &arr] )

QUERY_STRING is the literal text sent after the question mark in a HTTP GET request, which means that if the page requested was mypage.php?foo=bar&bar=baz, QUERY_STRING is set to foo=bar&bar=baz. The parse_str( ) function is designed to take a query string like that one and convert it to variables in the same way that PHP does when variables come in. The difference is that variables parsed using parse_str( ) are converted to global variables, as opposed to elements inside $_GET. So:

     if (isset($foo)) {             print "Foo is $foo<br />";     } else {             print "Foo is unset<br />";     }     parse_str("foo=bar&bar=baz");     if (isset($foo)) {             print "Foo is $foo<br />";     } else {             print "Foo is unset<br />";     }

That will print out Foo is unset followed by Foo is bar, because the call to parse_str( ) will set $foo to bar and $bar to baz. Optionally, you can pass an array as the second parameter to parse_str( ), and it will put the variables into there. That would make the script look like this:

     $array = array( );     if (isset($array['foo'])) {             print "Foo is {$array['foo']}<br />";     } else {             print "Foo is unset<br />";     }     parse_str("foo=bar&bar=baz", $array);     if (isset($array['foo'])) {             print "Foo is {$array['foo']}<br />";     } else {             print "Foo is unset<br />";     }

That script has the same output as before, except that the variables in the query string are placed into $array. As you can see, the variable names are used as keys in the array, and their values are used as the array values.

     void passthru ( string command [, int &return_var] )

The passthru( ) function runs an external program, specified in the first parameter. It prints everything output by that program to the screen, unlike the exec( ), which prints out only the final line of output that the program generates.

     passthru("who");

This function is helpful if you don't want to worry about how many lines the program returned. For example, many sites use the Unix command fortune with passthru("fortune") to get a quick and easy random quote for the bottom of their pages.

Taking user input and passing it into passthru( ) functions (or any other program execution function) is very dangerous. If you really must use user data as input to your program calls, pass it through the special function escapeshellcmd( ) firstit takes your input, and returns it in a safe format that can be used. For example, you might have a script that allows people to search files in a directory for a word they enter into a web form, with the crux of the script looking something like this: passthru("grep {$_GET["search"] /var/www/meetinglogs/*"); That works fine as long as you can trust the people calling the script, but it's very easy for them to send "nonexistent; cat /etc/passwd; #" as the search field, which causes your grep command to run on an existing file and then print out the contents of your system password file. The # symbol is a shell comment, causing the rest of your original command to be ignored. To solve this problem, stop people from running multiple commands by escaping their input: $_GET["search"] = escapeshellcmd($_GET["search"]); passthru("grep {$_GET["search"] /var/www/meetinglogs/*"); That said, no matter how many precautions you take, it's really not worth running the risk of people executing arbitrary commands, so you should try to avoid using user input for command execution.

     number pow ( number base, number exponent )

The pow( ) function takes two parameters: a base and a power to raise it by. That is, supplying 2 as parameter two will multiply parameter one by itself, and supplying 3 will multiply parameter one by itself twice, like this:

     print pow(10,2); // 100     print pow(10,3); // 1000     print pow(10,4); // 10000     print pow(-10, 4); // 10000

The first three lines show the result of 10 * 10, 10 * 10 * 10, then 10 * 10 * 10 * 10. On line four, we have -10 as the first parameter, and it is converted to a positive number in the result. This is basic mathematical theory: "a negative multiplied by negative makes a positive."

You can also send negative powers for the second parameter to pow( ) to generate roots. For example, pow(10, -1) is 0.1, pow(10, -2) is 0.01, pow(10, -3) is 0.001, etc. The values used as parameters one and two need not be integers: pow(10.1,2.3) works fine.

     int printf ( string format [, mixed argument [, mixed ...]] )

The printf( ) function may not be a function you will use often, but many people do, so it is good for you to be aware of it. This function is the standard C way to format text, and it has been copied wholesale into PHP for those who want to make use of it. It is not easy to use, but if you are doing a lot of code formatting, it will produce shorter code.

This function takes a variable number of parameters: a format string is always the first parameter, followed by zero or other parameters of various types. Here is a basic example:

     $animals = "lions, tigers, and bears";     printf("There were %s - oh my!", $animals);

That will put together the string "There were lions, tigers, and bearsoh my!" and send it to output. The %s is a special format string that means "string parameter to follow," which means that $animals will be treated as text inside the string that printf( ) creates.

Here is another example, slightly more complicated this time:

     $foo = "you";     $bar = "the";     $baz = "string";     printf("Once %s've read and understood %s previous section, %s should be     able to use %s bare minimum %s control functions to help %s make useful     scripts.", $foo, $bar, $foo, $bar, $baz, $foo);

This time we have several %s formatters in there, and the corresponding number of variables after parameter one. PHP replaces the first %s with parameter two, the second %s with parameter three, the third %s with parameter four, and so on. We have both $foo and $bar appearing more than once in the format list, which is perfectly acceptable.

There is a variety of other format strings for printf( ) as well as %s; a complete list is shown in Table 7-2.

If you specify one type but use another in its place, PHP will treat it as the type you specified, not as the type it actually is. For example, if you specify %d but provide a float, PHP will ignore the decimal part of the number; if you specify a number inside a string, PHP will treat it as a number. This works well, because you can't always be sure what type a variable is, yet you can always be sure what kind of variable you would like it to be.

     $number = 123;     printf("123 in binary is: %b", $number);     printf("123 in hex is: %h", $number);     printf("123 as a string is: %s", $number);     printf("%% allows you to print percent characters");

Putting strings for parameter one separate from the printf( ) call means that you can change languages at the drop of a hat. Furthermore, it means you don't need to add new variables to your script to perform conversionsprintf( ) will do them all for you, thanks in particular to an extra piece of functionality it has, revolving around the use of . (a period). For example:

     $number = 123.456;     $formatted = number_format($number, 2) . "\n";     print "Formatted number is $formatted\n";     printf("Formatted number is %.2f\n", $number);

In that code, lines two and three round a float to two decimal places and then print out the result. The same thing is accomplished in line three: %f is the format term meaning float, but by preceding the F with .2 printf( ), it rounds the float to two decimal places. We could have used %.1f for one decimal place, %.8f for eight decimal places, etc.

     float rad2deg ( float num )

The rad2deg( ) function converts radians to degrees. Radians are calculated as being $degrees multiplied by the mathematical constant pi, then divided by 180.

     $atan_deg = rad2deg(atan(0.4346));

     int rand ( [int min, int max] )

The rand( ) function returns random numbers. If you call it with no parameters, it will return a number between 0 and the value returned by getrandmax( ).

If you supply it with two parameters, rand( ) will use those numbers as the upper and lower limits of the random number, inclusive of those values. That is, if you specify 1 and 3, the value could be 1, 2, or 3.

     $random = rand( );     $randrange = rand(1,10);

Using rand( ) is very quick but not very "random"the numbers it generates are more predictable than using the mt_rand( ) function.

The maximum value that can be generated by rand( ) varies depending on the system you use: on Windows, the highest default value is usually 32,767; on Unix, the value is 2,147,483,647. That said, your system may be different, which is why the getrandmax( ) is available.

     string rawurldecode ( string str )

The rawurldecode( ) function converts a %-escaped string into its original format, reversing the operation of rawurlencode( ) .

     $name = 'Paul "Hudzilla" Hudson';     $safe_name = rawurlencode($name);     // it's now Paul%20%22Hudzilla%22%20Hudson     $unsafe_name = rawurldecode($name);     // back to 'Paul "Hudzilla" Hudson'

     string rawurlencode ( string str )

The rawurlencode( ) function converts non-alphabetic symbols into numerical equivalents preceded by a percent sign, such as %28 for "(", %29 for ")", and %27 for double quotes. This is most commonly used for passing data over URLs.

     $name = 'Paul "Hudzilla" Hudson';     $safe_name = rawurlencode($name);     // it's now Paul%20%22Hudzilla%22%20Hudson

This method of encoding is often referred to as %-escaping. You can reverse this conversion using the rawurldecode( ) function.

     void register_shutdown_function ( function callback     [, mixed param [, mixed ...]] )

The register_shutdown_function( ) function allows you to register with PHP a function to be run when script execution ends. Take a look at this example:

     function say_goodbye( ) {             echo "Goodbye!\n";     }     register_shutdown_function("say_goodbye");     echo "Hello!\n";     That would print out the following:     Hello!     Goodbye!

You can call register_shutdown_function( ) several times passing in different functions, and PHP will call all of the functions in the order you registered them when the script ends. If any of your shutdown functions call exit, the script will terminate without running the rest of the functions.

One very helpful use for shutdown functions is to handle unexpected script termination, such as script timeout, or if you have multiple exit( ) calls scattered throughout your script and want to ensure that you clean up no matter what. If your script times out, you have just lost control over whatever you were doing, so you either need to back up and undo whatever you have just done, or you need to clean up and terminate cleanly. Either way, shutdown functions are perfect: register a clean-up function near the start of the script and, when script timeout happens, the clean-up function will automatically run.

For example, the following script will print out "Sleeping...Goodbye!":

     function say_goodbye( ) {             print "Goodbye!\n";     }     register_shutdown_function("say_goodbye");     set_time_limit(1);     print "Sleeping...\n";     sleep(2);     print "Done!\n";

The "Done!" print line will never be executed, because the time limit is set to 1 and the sleep( ) function is called with 2 as its parameter, so the script will sleep for 2 seconds. As a result, "Sleeping..." gets printed, probably followed by a warning about the script going over its time limit, and then the shutdown function gets called.

     float round ( float num [, int precision] )

The round( ) function takes a floating-point number as its parameter and rounds it to the nearest integer to its current value. If a number is exactly halfway between two integers, round( ) will always round up. If you provide an integer, nothing will happen. For example:

     $number = round(11.1); // 11     $number = round(11.9); // 12     $number = round(11.5); // 12     $number = round(11); // 11

You can also provide the number of decimal places to round to:

     $a = round(4.4999); // 4     $b = round(4.123456, 3); // 4.123     $c = round(4.12345, 4); // 4.1235     $d = round(1000 / 160); // 6

The last example is a common situation encountered by people using round( ). Imagine you were organizing a big trip to the countryside, and 1000 people signed up. You need to figure out how many buses you need to hire, so you take the number of people, 1000, and divide it by the capacity of your buses, 160, then round it to get a whole number. You find the result is 6.

Where is the problem? Well, the actual result of 1000/160 is 6.25you need 6.25 buses to transport 1000 people, and you will only have ordered 6 because round( ) rounded toward 6 rather than 7, since it was closer. As you cannot order 6.5 buses, what do you do? The solution is simple: in situations like this, you use ceil( ).

     string rtrim ( string str [, string trim_chars] )

The rtrim( ) function works like the normal trim( ), except it only trims whitespace from the righthand side of a string.

     $string = rtrim(" testing ");     // $string is " testing"

     void set_time_limit ( int seconds )

The set_time_limit( ) function lets you set how long a script should be allowed to execute. This value is usually set inside php.ini under the max_execution_time setting; however, you can override that here. The function takes one parameter, which is the number of seconds you want the script to have. Or you can pass 0, which means "Let the script run as long as it needs." This example sets the script execution time to 30 seconds:

     set_time_limit(30);

When you use this function, the script timer is reset to 0; if you set 50 as the time limit, then after 40 seconds set the time limit to 30, the script will run for 70 seconds in total. That said, most web servers have their own time limit over and above PHP's. In Apache, this is set under Timeout in httpd.conf, and defaults to 300 seconds. If you use set_time_limit( ) to a value greater than Apache's timeout value, Apache will stop PHP before PHP stops itself. PHP may let some scripts go over the time limit if control is outside the script. For example, if you run an external program that takes 100 seconds and you have set the time limit to 30 seconds, PHP will let the script carry on for the full 100 seconds and terminate immediately afterwards. This also happens if you use the sleep( ) function with a value larger than the amount of time the script has left to execute.

The script time limit specified in php.ini or using set_time_limit( ) is also used to specify the number of seconds shutdown functions have to run. For example, if you have a time limit set to 30 seconds and have used register_shutdown_function( ) to set up functions to be called on script end, you will get an additional 30 seconds for all your shutdown functions to run (as opposed to 30 seconds for each of your shutdown functions).

     string sha1 ( string str [, bool raw_output] )

SHA stands for the "Secure Hash Algorithm," and it is a way of converting a string of any size into a 40-bit hexadecimal number that can be used for verification. Checksums are like unidirectional (one-way) encryption designed to check the accuracy of input. By unidirectional, I mean that you cannot run $hash = sha1($somestring), then somehow decrypt $hash to get $somestringit is just not possible, because a checksum does not contain its original text.

Checksums are a helpful way of storing private data. For example, how do you check whether a password is correct?

     if ($password =  = "Frosties") {             // ........     }

While that solution works, it means that whoever reads your source code gets your password. Similarly, if you store all your users' passwords in your database and someone cracks it, you will look bad. If you have the passwords of people on your database, or in your files, then malicious users will not be able to retrieve the original password.

The downside of that is that authorized users will not be able to get at the passwords eitherwhether or not that is a good thing varies from case to case, but usually having checksummed passwords is worthwhile. People who forget their password must simply reset it to a new password as opposed to retrieving it.

Checksumming is also commonly used to check whether files have downloaded properlyif your checksum is equal to the correct checksum value, then you have downloaded the file without problem.

The process of checksumming involves taking a value and converting it into a semi-meaningless string of letters and numbers of a fixed length. There is no wayno way whatsoeverto "decrypt" a checksumming to obtain the original value. The only way to hack a checksum is to try all possible combinations of input, which, given that the input for the checksum can be as long as you want, can take millions of years.

Consider this script:

     print sha1("hello") . "\n";     print sha1("Hello") . "\n";     print sha1("hello") . "\n";     print sha1("This is a very, very, very, very, very, very, very long test");

Here is the output I get:

     aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d     f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0     aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d     66f52c9f1a93eac0630566c9b82b26f91d727001

There are three key things to notice there: first, all the output is exactly 40 characters in length, and always will be. Second, the difference between the checksum of "hello" and the checksum of "Hello" is gigantic, despite the only difference being a small caps change. Finally, notice that there is no way to distinguish between long strings and short stringsbecause the checksum is not reversible (that is, you cannot extract the original input from the checksum), you can create a checksum of strings of millions of characters in just 40 bytes.

If you had stored your users' passwords checksummed in your database, then you need to checksum the passwords they provide before you compare them to the values in your database. One thing that is key to remember is that sha1( ) will always give the same output for a given input.

If you set the optional second parameter to true, the SHA1 checksum is returned in raw binary format and will have a length of 20.

     float sin ( float num )

The sin( ) function calculates the sine value of the number provided as its only parameter. The parameter should be passed as radiansyou should use deg2rad( ) to convert degrees to radians.

     $sin1 = sin(10);     $sin2 = sin(deg2rad(80));

     int sleep ( int seconds )

The sleep( ) function pauses execution for a set number of seconds, determined by the parameter you provide it. For example:

     sleep(4);     echo "Done\n";

The maximum script execution time is 30 seconds by default (although you may have changed this by altering the max_execution_time setting inside php.ini), but you can use sleep( ) to make your scripts go on for longer than that because PHP does not have control during the sleep operation.

     float sqrt ( float num )     To obtain the square root of a number, use the sqrt( ) function  , which takes     as its parameter the value you wish to calculate the square root of:     print sqrt(25);     print sqrt(26);

That will output 5 as the result of line one, then 5.0990195135928 for line two.

     string str_pad ( string input, int length [, string padding [, int type]] )

The str_pad( ) function makes a given string (parameter one) larger by X number of characters (parameter two) by adding on spaces. For example:

     $string = "Goodbye, Perl!";     $newstring = str_pad($string, 2);

That code would leave " Goodbye, Perl! " in $newstring, which is the same string from $string, except with a space on either side, equalling the two we passed in as parameter two.

There is an optional third parameter to str_pad( ) that lets you set the padding character to use, so:

     $string = "Goodbye, Perl!";     $newstring = str_pad($string, 10, 'a');

That would put "aaaaaGoodbye, Perl!aaaaa" into $newstring.

We can extend the function even more by using its optional fourth parameter, which allows us to specify which side we want the padding added to. The fourth parameter is specified as a constant, and you either use STR_PAD_LEFT, STR_PAD_RIGHT, or STR_PAD_BOTH:

     $string = "Goodbye, Perl!";     $a = str_pad($string, 10, '-', STR_PAD_LEFT);     // $a is "----------Goodbye, Perl!"     $b = str_pad($string, 10, '-', STR_PAD_RIGHT);     // $b is "Goodbye, Perl!----------",     $c = str_pad($string, 10, '-', STR_PAD_BOTH);     // $c is "-----Goodbye, Perl!-----"

Note that HTML only allows a maximum of one space at any time. If you want to pad more, you will need to use &nbsp; the HTML code for a non-breaking space.

     mixed str_replace ( mixed needle, mixed replace, mixed haystack [, int     &count] )

The str_replace( ) function replaces parts of a string with new parts you specify and takes a minimum of three parameters: what to look for, what to replace it with, and the string to work with. It also has an optional fourth parameter, which will be filled with the number of replacements made, if you provide it. Here are examples:

     $string = "An infinite number of monkeys";     $newstring = str_replace("monkeys", "giraffes", $string);     print $newstring;

With that code, $newstring will be printed out as "An infinite number of giraffes". Now consider this piece of code:

     $string = "An infinite number of monkeys";     $newstring = str_replace("Monkeys", "giraffes", $string);     print $newstring;

This time, $newstring will not be "An infinite number of giraffes", as you might have expected. Instead, it will remain "An infinite number of monkeys", because the first parameter to str_replace( ) is Monkeys rather than "monkeys", and the function is case- sensitive.

There are two ways to fix the problem: either change the first letter of "Monkeys" to a lowercase M, or, if you're not sure which case you will find, you can switch to the case-insensitive version of str_replace( ): str_ireplace( ).

     $string = "An infinite number of monkeys";     $newstring = str_ireplace("Monkeys", "giraffes", $string);     print $newstring;

When used, the fourth parameter is passed by reference, and PHP will set it to be the number of times your string was found and replaced:

     $string = "He had had to have had it.";     $newstring = str_replace("had", "foo", $string, $count);     print "$count changes were made.\n";

The above code should output 3 in $count, as PHP will replace had with foo tHRee times.

     mixed str_word_count ( string str [, int count_type [, string char_list]] )

The str_word_count( ) function returns the number of words in a string. You can pass a second parameter to str_word_count( ) to make it do other things, but if you only pass the string parameter by itself, then it returns the number of unique words that were found in the string. If you pass 1 as the second parameter, it will return an array of the words found; passing 2 does the same, except the key of each word will be set to the position where that word was found inside the string.

Here are examples of the three options:

     $str = "This is a test, only a test, and nothing but a test.";     $a = str_word_count($str, 1);     $b = str_word_count($str, 2);     $c = str_word_count($str);     print_r($a);     print_r($b);     echo "There are $c words in the string\n";

That should output the following:

     Array ( [0] => This [1] => is [2] => a [3] => test [4]     => only [5] => a [6] => test [7] => and [8] =>     nothing [9] => but [10] => a [11] => test )     Array ( [0] => This [5] => is [8] => a [10] => test [16]     => only [21] => a [23] => test [29] => and [33] =>     nothing [41] => but [45] => a [47] => test )     There are 12 words in the string

In the first line, the array keys are irrelevant, but the array values are the list of the words foundnote that the comma and period are not in there, as they are not considered words. In the second line, the array keys mark where the first letter of the word in the value was found, thus "0" means "This" was found at the beginning of the string. The last line shows the default word-counting behavior of str_word_count( ).

     int strcasecmp ( string str1, string str2 )

This is a case-insensitive version of the strcmp( ) .

     $result = strcasecmp("Hello", "hello");

That will return 0, because PHP will ignore the case difference. Using strcmp( ) instead would have returned -1: "Hello" would come before "hello".

     int strcmp ( string str1, string str2 )

The strcmp( ) function, and its case-insensitive sibling, strcasecmp( ) , is a quick way of comparing two words and telling whether they are equal, or whether one comes before the other. It takes two words for its two parameters, and returns -1 if word one comes alphabetically before word two, 1 if word one comes alphabetically after word two, or 0 if word one and word two are the same.

     $string1 = "foo";     $string2 = "bar";     $result = strcmp($string1, $string2);     switch ($result) {             case -1: print "Foo comes before bar"; break;             case 0: print "Foo and bar are the same"; break;             case 1: print "Foo comes after bar"; break;     }

It is not necessary for us to see that "foo" comes after "bar" in the alphabet, because we already know it does; however, you would not bother running strcmp( ) if you already knew the contents of the stringsit is most useful when you get unknown input and you want to sort it.

If the only difference between your strings is the capitalization of letters, you should know that capital letters come before their lowercase equivalents. For example, "PHP" will come before "php."

     string strip_tags ( string html_text [, string allowed_tags] )

You can strip HTML and PHP tags from a string using strip_tags( ). Parameter one is the string you want stripped, and parameter two lets you specify a list of HTML tags you want to keep.

This function can be very helpful if you display user input on your site. For example, if you create your own message board forum on your site, a user could post a title along the lines of: <H1>THIS SITE SUCKS!</H1>, which, because you would display the titles of each post on your board, would display their unwanted message in huge letters on your visitors' screens.

Here are two examples of stripping out tags:

     $input = "<blink><strong>Hello!</strong></blink>";     $a = strip_tags($input);     $b = strip_tags($input, "<strong><em>");

After running that script, $a will be set to "Hello!", whereas $b will be set to <strong>Hello!</strong> because we had <strong> in the list of acceptable tags. Using this method, you can eliminate most users from adversely changing the style of your site; however, it is still possible for users to cause trouble if you allow a list of certain HTML tags. For example, we could abuse the allow <strong> tag using CSS: <strong style="font: 72pt Times New Roman">THIS SITE SUCKS!</strong>, a situation shown in Figure 7-1.

Figure 7-1. Not what you want to seestrip_tags( ) gone wrong

If you allow <strong> tags, you allow all <strong> tags, regardless of whether they have any extra unwanted information in there, so it is best not to allow any tags at allnot <strong>, not <img>, etc.

This sort of attack is commonly referred to as Cross-Site Scripting (XSS), as it allows people to submit specially crafted input to your site to load their own content. For example, it's fairly easy for malicious users to make their username a piece of JavaScript that redirects visitors to a different site, passing along all their cookies from your site. Be careful: make sure to put strip_tags( ) to good use.

     string stripslashes ( string str )

The stripslashes( ) function is the opposite of addslashes( ): it removes one set of \-escapes from a string. For example:

     $string = "I'm a lumberjack and I'm okay!";     $a = addslashes($string);     // string is now "I\'m a lumberjack and I\'m okay!"     $b = stripslashes($a);     // string is now "I'm a lumberjack and I'm okay!"

     int strlen ( string str )

The strlen( ) function takes just one parameter (the string), and returns the number of characters in it:

     print strlen("Foo") . "\n"; // 3     print strlen("Goodbye, Perl!") . "\n"; // 14

Behind the scenes, strlen( ) actually counts the number of bytes in your string, as opposed to the number of characters. It is for this reason that multibyte strings should be measured with mb_strlen( ).

     int strpos ( string haystack, mixed needle [, int offset] )

The strpos( ) function, and its case-insensitive sibling, stripos( ), returns the index of the beginning of a substring's first occurrence within a string. This is easiest to understand in code:

     $string = "This is a strpos( ) test";     print strpos($string, "s") . "\n";

That will return 3, because the first lowercase S character in "This is a strpos( ) test" is at index 3. Remember that PHP considers the first letter of a string to be index 0, which means that the S strpos( ) found is actually the fourth character.

You can specify whole words in parameter two, which will make strpos( ) return the first position of that word within the string. For example, strpos($string, "test") would return 19the index of the first letter in the matched word.

You should be aware that if the substring sent in parameter two is not found in parameter one, strpos( ) will return false (as opposed to -1). This is very important, as shown in this script:

     $string = "This is a strpos( ) test";     $pos = strpos($string, "This");     if ($pos =  = false) {             print "Not found\n";     } else {             print "Found!\n";     }

That will output "Not found", despite "This" quite clearly being in $string. This time, the problem is that "This" is the first thing in $string, which means that strpos( ) will return 0. However, PHP considers 0 to be the same value as false, which means that our if statement cannot tell the difference between "Substring not found" and "Substring found at index 0."

If we change our if statement to use === rather than ==, PHP will check the value of 0 and false and find they match (both false), then check the types of 0 and false, and find that they do not matchthe former is an integer, and the latter is a boolean. So, the corrected version of the script is this:

     $string = "This is a strpos( ) test";     $pos = strpos($string, "This");     if ($pos =  == false) {             print "Not found\n";     } else {             print "Found!\n";     }

There is a third parameter to strpos( ) that allows us to specify where to start searching from. For example:

     $string = "This is a strpos( ) test";     $pos = strpos($string, "i", 3);     if ($pos =  == false) {             print "Not found\n";     } else {             print "Found at $pos!\n";     } 

Using 3 as the third parameter forces strpos( ) to start its search after the "i" of "This", meaning that the first match is the "i" of "is". Therefore, it returns the value 5.

     string strstr ( string haystack, string needle )

The strstr( ) function and its case-insensitive cousin, stristr( ), is a nice and easy function that finds the first occurrence of a substring (parameter two) inside another string (parameter one), and returns all characters from the first occurrence to the end of the string. This next example will match the "www" part of the URL http://www.example.com/mypage.php, then return everything from the "www" until the end of the string:

     $string = "http://www.example.com/mypage.php";     $newstring = strstr($string, "www");

     string strtolower ( string str )

The strtolower( ) function takes one string parameter and returns that string entirely in lowercase characters.

     $string = "I like to program in PHP";     $a = strtolower($string);

In that example, $a will be set to "i like to program in php".

     int strtotime ( string time [, int now] )

The strtotime( ) function converts strings to a timestamp and takes two parameters: the string time to convert, and a second optional parameter that can be a relative timestamp. Parameter one is important; we will come back to parameter two shortly. Consider this script:

     print strtotime("22nd December 1979");     print strtotime("22 Dec. 1979 17:30");     print strtotime("1979/12/22");

Here, there are three ways of representing the same date with the second also including a time. If you run that script, you will see PHP output an integer for each one, with the first and third being the same, and the second one being slightly higher. These numbers are the Unix timestamps for the dates we passed into strtotime( ), so it successfully managed to convert them.

You must use American-style dates (i.e., month, day, year) with strtotime( ); if it finds a date like 10/11/2003, it will consider it to be October 11th as opposed to November 10th.

If PHP is unable to convert your string into a timestamp, it will return -1. This next example tests whether date conversion worked or not:

     $mydate = strtotime("Christmas 1979");     if ($mydate == -1) {             print "Date conversion failed!";     } else {             print "Date conversion succeeded!";     }

The strtotime( ) function has an optional second parameter, which is a timestamp to use for relative dates. This is because the date string in the first parameter to strtotime( ) can include relative dates such as "Next Sunday," "2 days," or "1 year ago." In this situation, PHP needs to know what these relative times are based on, and this is where the second parameter comes inyou can provide any timestamp you want, and PHP will calculate "Next Sunday" from that timestamp. If no parameter is provided, PHP assumes you are referring to the current time.

For example, this next line of code will print the timestamp for the next Sunday (that is, not the upcoming Sunday, but the one after):

     print strtotime("Next Sunday");

You can pass in custom timestamps with your relative dates. For instance, this next line uses time( ) minus two days as its second parameter, and "2 days" for its first parameter, which means it returns the current timestamp:

     print strtotime("2 days", time( ) - (86400 * 2));

This final example subtracts a year from a given timestamp, and works as expected:

     print strtotime("1 year ago", 123456789);

Converting textual dates to usable dates is not always easy, and you should experiment with various dates to see what you can get to work and what you cannot.

Be wary of dates such as this one: August 25, 2003, 10:26 a.m. Although this may look well formed, strtotime( ) is not able to handle it because it has commas. If you have dates with commas in them, be sure to strip them out using the str_replace( ) function, covered earlier in this chapter.

     string strtoupper ( string str )

The strtoupper( ) function takes one string parameter and returns that string entirely in uppercase characters.

     $string = "I like to program in PHP";     $a = strtoupper($string);

In that example, $a will be set to "I LIKE TO PROGRAM IN PHP".

     string substr ( string str, int start_pos [, int length] )

The substr( ) function allows you to read just part of a string and takes a minimum of two parameters: the string to work with, and where you want to start reading from. There is an optional third parameter to specify how many characters you want to read. Here are some examples of basic usage:

     $message = "Goodbye, Perl!";     $a = substr($message, 1);     // $a contains "oodbye, Perl!" - strings and arrays start at 0     // rather than 1, so it copied from the second character onwards.     $b = substr($message, 0);     // $b contains the full string because we started at index 0     $c = substr($message, 5);     // $c copies from index 5 (the sixth character),     // and so will be set to "ye, Perl!"     $d = substr($message, 50);     // $d starts from index 50, which clearly does not exist.     // PHP will return an empty string rather than an error.     $e = substr($message, 5, 4);     // $e uses the third parameter, starting from index five     // and copying four characters. $e will be set to "ye, ",     // a four-letter word with a space at the end.     $f = substr($message, 10, 1);     // $f has 1 character being copied from index 10, which gives "e"

You can specify a negative number as parameter three for the length, and PHP will consider that number the amount of characters you wish to omit from the end of the string, as opposed to the number of characters you wish to copy:

     $string = "Goodbye, Perl!";     $a = substr($string, 5, 5);     // copies five characters from index five onwards, giving "ye, P"     $b = substr($string, 5, -1);     // copies five characters from the end, except the last character,     // so $b is set to "ye, Perl",     $c = substr($string, 0, -7);     // $c is set to "Goodbye"

Using negative lengths allows you to say "copy everything but the last three characters," for example.

You can also use a negative start index, in which case, you start copying start characters from the end. You can even use a negative length with your negative start index, like this:

     $string = "Goodbye, Perl!"     $a = substr($string, 5);     // copy from character five until the end     $b = substr($string, 5, 5);     // copy five characters from character five     $c = substr($string, 0, -1);     // copy all but the last character     $d = substr($string, -5);     // $d is "Perl!", because PHP starts 5 characters from the end, then copies     from there to the end     $e = substr($string, -5, 4);     // this uses a negative start and a positive length; PHP starts five     characters from the end of the string ("P"), then copies four characters, so     $e will be set to "Perl"     $f = substr($string, -5, -4);     // start five characters from the end, and copy everything but the last four     characters, so $f is "P"

     float tan ( float num )

Calculates the tangent value of the number provided as its only parameter. The parameter should be passed as radiansyou should use deg2rad( ) to convert degrees to radians.

     $tan1 = tan(10);     $tan2 = tan(deg2rad(80));

     int time ( void )

PHP represents time as the number of seconds that have passed since January 1st 1970 00:00:00 GMT, a date known as the start of the Unix epoch; hence, this date format is known as epoch time or a Unix timestamp. This might be a peculiar way to store dates, but it works wellinternally, you can store any date since 1970 as an integer, and convert to a human-readable string wherever necessary.

The basic function to get the current time in epoch format is time( ). This takes no parameters and returns the current timestamp representing the current time on the server. Here is an example script:

     print time( );     $CurrentTime = time( );     print $CurrentTime;

As you can see, we can either print the return value of time( ) directly, or we can store it away in a variable and then print the contents of the variablethe result is identical.

Working in Unix time means you are not tied down to any specific formatting, which means you need not worry about whether your date has months before days (or vice versa), whether long months are used, whether day numbers or day words (Saturday, Tuesday, etc.) are used, and so on. Furthermore, to add one to a day (to get tomorrow's date), you can just add one day's worth of seconds to your current timestamp: 60x60x24 = 86400.

For more precise time values, use the microtime( ) function.

     string trim ( string str [, string trim_chars] )

You can use the trim( ) function to strip spaces, new lines, and tabs (collectively called whitespace) from either side of a string variable. That is, if you have the string " This is a test " and pass it to trim( ) as its first parameter, it will return the string "This is a test"the same thing, but with the surrounding spaces removed.

You can pass an optional second parameter to trim( ) if you want, which should be a string specifying the individual characters you want it to trim( ). For example, if we were to pass to trim the second parameter " tes" (that starts with a space), it would output "This is a"the test would be trimmed, as well as the spaces. As you can see, trim( ) is again case-sensitivethe T in "This" is left untouched.

There are two minor variants to trim( )ltrim( ) and rtrim( )which do the same thing, but only trim from the left and right respectively.

Here are examples:

     $a = trim(" testing ");     // $a is "testing"     $b = trim(" testing ", " teng");     // $b is is "sti"

     string ucfirst ( string str )

The ucfirst( ) function takes one string parameter and converts the first letter of the string to an uppercase character, leaving the others untouched.

     $string = "i like to program in PHP";     $a = strtoupper($string);

In that example, $a will be set to "I like to program in PHP".

     string ucwords ( string str )

The ucwords( ) function takes one string parameter and converts the first letter of each word in the string to an uppercase character, leaving the others untouched.

     $string = "i like to program in PHP";     $a = strtoupper($string);

In that example, $a will be set to "I Like To Program In PHP".

     void unset ( mixed var [, mixed var [, mixed ...]] )

The unset( ) function deletes a variable so that isset( ) will return false. Once deleted, you can recreate a variable later on in a script.

     $name = "Paul";     if (isset($name)) print "Name is set\n";     unset($name);     if (isset($name)) print "Name is still set\n";

That would print out "Name is set", but not "Name is still set", because calling unset( ) has deleted the $name variable.

     void usleep ( int microseconds )

The usleep( ) is similar to the sleep( ), which pauses script execution, except that it uses microseconds (millionths of a second) for its sleep time rather than seconds. It is so named because "u" is similar in style to the Greek character Mu that is associated with "micro." It takes the amount of time to pause execution as its only parameter.

     usleep(4000000);     echo "Done\n";

The maximum script execution time is 30 seconds by default (although you may have changed this by altering the max_execution_time setting inside php.ini), but you can use usleep( ) to make your scripts go on for longer than that because PHP does not have control during the sleep operation.

The use of usleep( ) is not advised if you want backward compatibility, because it wasn't available on Windows prior to PHP 5.

     bool virtual ( string filename )

The virtual( ) function performs a virtual request to the local Apache web server for a file, almost as if your script were a client itself. This request is processed and its output is sent back to your script. Note that you must be running Apache as the web serverthis function does not work on other servers.

Using this method you can, for example, execute a Perl script from your PHP script or, for real weirdness, execute another PHP script from your PHP script. Although, for that purpose, you should probably use include( ) or require( ).

     // run a page counter Perl script     virtual("counter.pl");

     string wordwrap ( string str [, int line_length     [, string break_char [, bool cut]]] )

Although web pages wrap text automatically, there are two situations when you might want to wrap text yourself:

• When printing to a console as opposed to a web page, text does not wrap automatically. Therefore, unless you want your users to scroll around, it is best to wrap text for them.

• When printing to a web page that has been designed to exactly accommodate a certain width of text, allowing browsers to wrap text whenever they want will lead to the design getting warped.

In either of these situations, the wordwrap( ) function comes to your aid. If you pass a sentence of text into wordwrap( ) with no other parameters, it will return that same string wrapped at the 75-character mark using "\n" for new lines. However, you can pass both the size and new line marker as parameters two and three if you want to, like this:

     $text = "Word wrap will split this text up into smaller lines, which makes     for easier reading and neater layout.";     $text = wordwrap($text, 20, "<br />");     print $text;

Running that script will give you the following output:

     Word wrap will split<br />this text up into<br />smaller lines, which<br />     makes for easier<br />reading and neater<br />layout.

As you can see, wordwrap( ) has used <br />, a HTML new line marker, and split up words at the 20-character mark. Note that wordwrap( ) always pessimistically wraps wordsthat is, if you set the second parameter to 20, wordwrap( ) will always wrap when it hits 20 characters or undernot 21, 22, etc. The only exception to this is if you have words that are individually longer than 20 characterswordwrap( ) will not break up a word, so it may return larger chunks than the limit you set.

If you really want your limit to be a hard maximum, you can supply 1 as a fourth parameter, which enables "cut" modewords over the limit will be cut up if this is enabled. Here is an example of cut mode in action:

     $text = "Micro-organism is a very long word.";     $text = wordwrap($text, 6, "\n", 1);     print $text;

That will output the following:

     Micro-     organi     sm is     a very     long     word.