Problem

You want to identify whether a string contains a specific substring. For example, you want to know if a URL contains the text /secret/.

Solution

Use strpos():

if (strpos($url, '/secret/') !== false) {
    // A secret fragment was detected, run additional logic
    // ...
}

Discussion

PHP’s strpos() function will scan through a given string and identify the starting position of the first occurrence of a given substring. This function literally looks for a needle in a haystack, as the function’s arguments are named $haystack and $needle, respectively. If the substring ($needle) is not found, the function returns a Boolean false.

It’s important in this case to use strict equality comparison, as strpos() will return 0 if the substring appears at the very beginning of the string being searched. Remember from Recipe 2.3 that comparing values with only two equals signs will attempt to recast the types, converting an integer 0 into a Boolean false; always use strict comparison operators (either === for equality or !== for inequality) to avoid confusion.

If the $needle appears multiple times within a string, strpos() only returns the position of the first occurrence. You can search for additional occurrences by adding an optional position offset as a third parameter to the function call, as in Example 4-5. Defining an offset also allows you to search the latter part of a string for a substring that you know already appears earlier in the string.

function count_occurrences($haystack, $needle)
{
    $occurrences = 0;
    $offset = 0;
    $pos = 0; 

    do {
        $pos = strpos($haystack, $needle, $offset);

        if ($pos !== false) { 
            $occurrences += 1;
            $offset = $pos + 1; 
        }
    } while ($pos !== false); 

    return $occurrences;
}

$str = 'How much wood would a woodchuck chuck if a woodchuck could chuck wood?';

print count_occurrences($str, 'wood'); // 4
print count_occurrences($str, 'nutria'); // 0

See Also

PHP documentation on strpos().

Problem

You want to extract a small string from a much larger string—for example, the domain name from an email address.

Solution

Use substr() to select the part of the string you want to extract:

$string = 'eric.mann@cookbook.php';
$start = strpos($string, '@');

$domain = substr($string, $start + 1);

Discussion

PHP’s substr() function returns the portion of a given string, based on an initial offset (the second parameter) up to an optional length. The full function signature is as follows:

function substr(string $string, int $offset, ?int $length = null): string

If the $length parameter is omitted, substr() will return the entire remainder of the string. If the $offset parameter is greater than the length of the input string, an empty string is returned.

You can also specify a negative offset to return a subset starting from the end of the string instead of the beginning, as in Example 4-6.

$substring = substr('phpcookbook', -3); 
$substring = substr('phpcookbook', -2); 
$substring = substr('phpcookbook', -8, 4); 

You should be aware of some other edge cases regarding offsets and string lengths with substr(). It is possible for the offset to legitimately start within the string, but for $length to run past the end of the string. PHP catches this discrepancy and merely returns the remainder of the original string, even if the final return is less than the specified length. Example 4-7 details some potential outputs of substr() based on various specified lengths.

$substring = substr('Four score and twenty', 11, 3); 
$substring = substr('Four score and twenty', 99, 3); 
$substring = substr('Four score and twenty', 20, 3); 

Another edge case is a negative $length supplied to the function. When requesting a substring with a negative length, PHP will remove that many characters from the substring it returns, as illustrated in Example 4-8.

$substring = substr('Four score and twenty', 5); 
$substring = substr('Four score and twenty', 5, -11); 

See Also

PHP documentation for substr() and for strpos().

Problem

You want to replace just one part of a string with another string. For example, you want to obfuscate all but the last four digits of a phone number before printing it to the screen.

Solution

Use substr_replace() to replace a component of an existing string based on its position:

$string = '555-123-4567';
$replace = 'xxx-xxx'

$obfuscated = substr_replace($string, $replace, 0, strlen($replace));
// xxx-xxx-4567

Discussion

PHP’s substr_replace() function operates on a part of a string, similar to substr(), defined by an integer offset up to a specific length. Example 4-9 shows the full function signature.

function substr_replace(
    array|string $string,
    array|string $replace,
    array|int $offset,
    array|int|null $length = null
): string

Unlike its substr() analog, substr_replace() can operate either on individual strings or on collections of strings. If an array of strings is passed in with scalar values for $replace and $offset, the function will run the replacement on each string, as in Example 4-10.

$phones = [
    '555-555-5555',
    '555-123-1234',
    '555-991-9955'
];

$obfuscated = substr_replace($phones, 'xxx-xxx', 0, 7);

// xxx-xxx-5555
// xxx-xxx-1234
// xxx-xxx-9955

In general, developers have a lot of flexibility with the parameters in this function. Similar to substr(), the following are true:

• $offset can be negative, in which case replacements begin that number of characters from the end of the string.

• $length can be negative, representing the number of characters from the end of the string at which to stop replacing.

• If $length is null, it will internally become the same as the length of the input string itself.

• If length is 0, $replace will be inserted into the string at the given $offset, and no replacement will take place at all.

Finally, if $string is provided as an array, all other parameters can be provided as arrays as well. Each element will represent a setting for the string in the same position in $string, as illustrated by Example 4-11.

$phones = [
    '555-555-5555',
    '555-123-1234',
    '555-991-9955'
];

$offsets = [0, 0, 4];

$replace = [
    'xxx-xxx',
    'xxx-xxx',
    'xxx-xxxx'
];

$lengths = [7, 7, 8];

$obfuscated = substr_replace($phones, $replace, $offsets, $lengths);

// xxx-xxx-5555
// xxx-xxx-1234
// 555-xxx-xxxx

The substr_replace() function is convenient if you know exactly where you need to replace characters within a string. In some situations, you might not know the position of a substring that needs to be replaced, but you want to instead replace occurrences of a specific substring. In those circumstances, you would want to use either str_replace() or str_ireplace().

These two functions will search a specified string to find an occurrence (or many occurrences) of a specified substring and replace it with something else. The functions are identical in their call pattern, but the extra i in str_ireplace() indicates that it searches for a pattern in a case-insensitive fashion. Example 4-12 illustrates both functions in use.

$string = 'How much wood could a Woodchuck chuck if a woodchuck could chuck wood?';

$beaver = str_replace('woodchuck', 'beaver', $string); 
$ibeaver = str_ireplace('woodchuck', 'beaver', $string); 

Both str_replace() and str_ireplace() accept an optional $count parameter that is passed by reference. If specified, this variable will be updated with the number of replacements the function performed. In Example 4-12, this return value would have been 1 and 2, respectively, because of the capitalization of Woodchuck.

See Also

PHP documentation on substr_replace(), str_replace(), and str_ireplace().

Problem

You need to process a string of single-byte characters from beginning to end, one character at a time.

Solution

Loop through each character of the string as if it were an array. Example 4-13 will count the number of capital letters in a string.

$capitals = 0;

$string = 'The Carriage held but just Ourselves - And Immortality';
for ($i = 0; $i < strlen($string); $i++) {
    if (ctype_upper($string[$i])) {
        $capitals += 1;
    }
}

// $capitals = 5

Discussion

Strings are not arrays in PHP, so you cannot loop over them directly. However, they do provide array-like access to individual characters within the string based on their position. You can reference individual characters by their integer offset (starting with 0), or even by a negative offset to start at the end of the string.

Array-like access isn’t read-only, though. You can just as easily replace a single character in a string based on its position, as demonstrated by Example 4-14.

$string = 'A new recipe made my coffee stronger this morning';
$string[31] = 'a';

// A new recipe made my coffee stranger this morning

It is also possible to convert a string directly to an array by using str_split() and then iterate over all items in the resulting array. This will work as an update to the Solution example, as illustrated in Example 4-15.

$capitals = 0;

$string = 'The Carriage held but just Ourselves - And Immortality';
$stringArray = str_split($string);
foreach ($stringArray as $char) {
    if (ctype_upper($char)) {
        $capitals += 1;
    }
}

// $capitals = 5

The downside of Example 4-15 is that PHP now has to maintain two copies of your data: the original string and the resultant array. This isn’t a problem when handling small strings as in the example; if your strings instead represent entire files on disk, you will rapidly exhaust the memory available to PHP.

PHP makes accessing individual bytes (characters) within a string relatively easy without any changes in data type. Splitting a string into an array works but might be unnecessary unless you actually need an array of characters. Example 4-16 reimagines Example 4-15, using an array reduction technique rather than counting the capital letters in a string directly.

$str = 'The Carriage held but just Ourselves - And Immortality';

$caps = array_reduce(str_split($str), fn($c, $i) => ctype_upper($i) ? $c+1: $c, 0);

The simplified reduction introduced in Example 4-16 is functionally accurate but still requires splitting the string into an array. It saves on lines of code in your program but still results in creating a second copy of your data. As mentioned before, if the strings over which you’re iterating are large (e.g., massive binary files), this will rapidly consume the memory available to PHP.

See Also

PHP documentation on string access and modification, as well as documentation on ctype_upper().

Problem

You want to generate a string of random characters.

Solution

Use PHP’s native random_int() function:

function random_string($length = 16)
{
    $characters = '0123456789abcdefghijklmnopqrstuvwxyz';

    $string = '';
    while (strlen($string) < $length) {
        $string .= $characters[random_int(0, strlen($characters) - 1)];
    }
    return $string;
}

Discussion

PHP has strong, cryptographically secure pseudorandom generator functions for both integers and bytes. It does not have a native function that generates random human-readable text, but the underlying functions can be used to create such a string of random text by leveraging lists of human-readable characters, as illustrated by the Solution example.

A valid and potentially simpler method for producing random strings is to leverage PHP’s random_bytes() function and encode the binary output as ASCII text. Example 4-17 illustrates two possible methods of using random bytes as a string.

$string = random_bytes(16); 

$hex = bin2hex($string); 
$base64 = base64_encode($string); 

See Also

PHP documentation on random_int() and on random_bytes(). Also Recipe 5.4 on generating random numbers.

Problem

You want to include dynamic content in an otherwise static string.

Solution

Use double quotes to wrap the string and insert a variable, object property, or even function/method call directly in the string itself:

echo "There are {$_POST['cats']} cats and {$_POST['dogs']} outside.";
echo "Your username is {strlen($username)} characters long.";
echo "The car is painted {$car->color}.";

Discussion

Unlike single-quoted strings, double-quoted strings allow for complex, dynamic values as literals. Any word starting with a $ character is interpreted as a variable name, unless that leading character is properly escaped.²

While the Solution example wraps dynamic content in curly braces, this is not a requirement in PHP. Simple variables can easily be written as is within a double-quoted string and will be interpolated properly. However, more complex sequences become difficult to read without the braces. It’s a highly recommended best practice to always enclose any value you want interpolated to make the string more readable.

Unfortunately, string interpolation has its limits. The Solution example illustrates pulling data out of the superglobal $_POST array and inserting it directly into a string. This is potentially dangerous, as that content is generated directly by the user, and the string could be leveraged in a sensitive way. In fact, string interpolation like this is one of the largest vectors for injection attacks against applications.

To protect your string use against potentially malicious user-generated input, it’s a good idea to instead use a format string via PHP’s sprintf() function to filter the content. Example 4-18 rewrites part of the Solution example to protect against malicious $_POST data.

echo sprintf('There are %d cats and %d dogs.', $_POST['cats'], $_POST['dogs']);

Format strings are a basic form of input sanitization in PHP. In Example 4-18, you are explicitly assuming that the supplied $_POST data is numeric. The %d tokens within the format string will be replaced by the user-supplied data, but PHP will explicitly cast this data as integers during the replacement.

If, for example, this string were being inserted into a database, the formatting would protect against the potential of injection attacks against SQL interfaces. More complete methods of filtering and sanitizing user input are discussed in Chapter 9.

See Also

PHP documentation on variable parsing in double quotes and Heredoc as well as documentation on the sprintf() function.

Problem

You need to create a new string from two smaller strings.

Solution

Use PHP’s string concatenation operator:

$first = 'To be or not to be';
$second = 'That is the question';

$line = $first . ' ' . $second;

Discussion

PHP uses a single . character to join two strings together. This operator will also leverage type coercion to ensure that both values in the operation are strings before they’re concatenated, as shown in Example 4-19.

print 'String ' . 2; 
print 2 . ' number'; 
print 'Boolean ' . true; 
print 2 . 3; 

The string concatenation operator is a quick way to combine simple strings, but it can become somewhat verbose if you use it to combine multiple strings with whitespace. Consider Example 4-20, where you try to combine a list of words into a string, each separated by a space.

$words = [
    'Whose',
    'woods',
    'these',
    'are',
    'I',
    'think',
    'I',
    'know'
];

$option1 = $words[0] . ' ' . $words[1] . ' ' . $words[2] . ' ' . $words[3] .
         ' ' . $words[4] . ' ' . $words[5] . ' ' . $words[6] .
         ' ' . $words[7]; 

$option2 = '';
foreach ($words as $word) {
    $option2 .= ' ' . $word; 
}
$option2 = ltrim($option2); 

Large, repetitive concatenation routines can be replaced by native PHP functions like implode(). This function in particular accepts an array of data to be joined and a definition of the character (or characters) to be used between data elements. It returns the final, concatenated string.

Rewriting Example 4-20 to use implode() makes the entire operation much simpler, as demonstrated by Example 4-21.

$words = [
    'Whose',
    'woods',
    'these',
    'are',
    'I',
    'think',
    'I',
    'know'
];

$string = implode(' ', $words);

Take care to remember the parameter order for implode(). The string separator comes first, followed by the array over which you want to iterate. Earlier versions of PHP (prior to version 8.0) allowed the parameters to be specified in the opposite order. This behavior (specifying the array first and the separator second) was deprecated in PHP 7.4. As of PHP 8.0, this will throw a TypeError.

If you’re using a library written prior to PHP 8.0, be sure you test that it’s not misusing either implode() or join() before you ship your project to production.

See Also

PHP documentation on implode().

Problem

You want to encode data directly as binary rather than as an ASCII-formatted representation, or you want to read data into your application that was explicitly encoded as binary data.

Solution

Use unpack() to extract binary data from a string:

$unpacked = unpack('S1', 'Hi'); // [1 => 26952]

Use pack() to write binary data to a string:

$packed = pack('S13', 72, 101, 108, 108, 111, 44, 32, 119, 111,
               114, 108, 100, 33); // 'Hello, world!'

Discussion

Both pack() and unpack() empower you to operate on raw binary strings, assuming you know the format of the binary string you’re working with. The first parameter of each function is a format specification. This specification is determined by specific format codes, as defined in Table 4-2.

When defining a format string, you can specify each byte type individually or leverage an optional repeating character. In the Solution examples, the number of bytes is explicitly specified with an integer. You could just as easily use an asterisk (*) to specify that a type of byte repeats through the end of the string as follows:

$unpacked = unpack('S*', 'Hi'); // [1 => 26952]
$packed = pack('S*', 72, 101, 108, 108, 111, 44, 32, 119, 111,
               114, 108, 100, 33); // 'Hello, world!'

PHP’s ability to convert between byte encoding types via unpack() also provides a simple method of converting ASCII characters to and from their binary equivalent. The ord() function will return the value of a specific character, but it requires looping over each character in a string if you want to unpack each in turn, as demonstrated in Example 4-22.

$ascii = 'PHP Cookbook';

$chars = [];
for ($i = 0; $i < strlen($ascii); $i++) {
    $chars[] = ord($ascii[$i]);
}

var_dump($chars);

Thanks to unpack(), you don’t need to explicitly iterate over the characters in a string. The c format character references a signed character, and C a signed one. Rather than building a loop, you can leverage unpack() directly as follows to get an equivalent result:

$ascii = 'PHP Cookbook';
$chars = unpack('C*', $ascii);

var_dump($chars);

Both the preceding unpack() example and the original loop implementation in Example 4-22 produce the following array:

array(12) {
  [1]=>
  int(80)
  [2]=>
  int(72)
  [3]=>
  int(80)
  [4]=>
  int(32)
  [5]=>
  int(67)
  [6]=>
  int(111)
  [7]=>
  int(111)
  [8]=>
  int(107)
  [9]=>
  int(98)
  [10]=>
  int(111)
  [11]=>
  int(111)
  [12]=>
  int(107)
}

See Also

PHP documentation on pack() and unpack().