What is a PHP file?

PHP (PHP: Hypertext Preprocessor — a recursive acronym) files contain server-side scripting code executed by a web server to generate dynamic HTML. Originally created by Rasmus Lerdorf in 1994 as simple CGI scripts for his personal website, PHP grew into one of the most widely deployed server-side languages in the world. Approximately 77% of all websites with a known server-side language use PHP — including WordPress, which alone powers over 43% of the web.

PHP code executes on the server (not in the browser), and the client receives only the resulting HTML. A .php file can contain HTML, CSS, JavaScript, and PHP code mixed together, though modern PHP applications separate these concerns through templating engines and MVC frameworks.

How to open PHP files

• VS Code (Windows, macOS, Linux) — With PHP Intelephense or PHP Tools extension
• PhpStorm (Windows, macOS, Linux) — The most feature-complete PHP IDE (JetBrains)
• PHP interpreter — php script.php to execute from the command line
• XAMPP / WAMP / Laragon — Local development servers for running PHP
• Any text editor — PHP files are plain UTF-8 text

Technical specifications

Common use cases

• CMS platforms: WordPress, Drupal, Joomla — all PHP-based
• Web frameworks: Laravel (most popular), Symfony, CodeIgniter, Slim
• E-commerce: WooCommerce, Magento, PrestaShop
• API development: RESTful backends with Laravel or Slim
• Legacy systems: Large amounts of enterprise PHP code from the 2000s still runs today

PHP code example

<?php
declare(strict_types=1);

class UserRepository
{
    public function __construct(private PDO $db) {}

    public function findByEmail(string $email): ?array
    {
        $stmt = $this->db->prepare(
            'SELECT id, name, email FROM users WHERE email = ?'
        );
        $stmt->execute([$email]);
        return $stmt->fetch(PDO::FETCH_ASSOC) ?: null;
    }
}

// Usage
$user = $repo->findByEmail('alice@example.com');
echo $user ? "Found: {$user['name']}" : "Not found";

Modern PHP (8.x features)

PHP 8 introduced significant improvements that bring it closer to modern language standards:

• Named arguments: array_slice(array: $a, offset: 1, length: 3)
• Match expressions: Type-safe switch replacement
• Nullsafe operator: $user?->address?->city
• Union types: function foo(int|string $value): void
• Fibers: Cooperative multitasking (async primitives)
• JIT compiler: Just-in-time compilation for CPU-intensive tasks
• Readonly properties: public readonly string $name
• Enums: enum Status { case Active; case Inactive; }

Security considerations

PHP’s history includes common vulnerabilities that modern code must avoid:

• SQL injection: Always use PDO prepared statements or an ORM — never concatenate user input into SQL queries
• XSS: Use htmlspecialchars($output, ENT_QUOTES, 'UTF-8') before echoing user content into HTML
• File inclusion: Never use user input in include/require paths (include $_GET['page'] is catastrophic)
• Password hashing: Use password_hash($password, PASSWORD_BCRYPT) — never MD5 or SHA1

Composer and the PHP ecosystem

composer init                    # Create composer.json
composer require laravel/framework  # Install package
composer install                 # Install from composer.lock
composer update                  # Update dependencies
composer dump-autoload           # Regenerate class autoloader

Composer handles dependency management and PSR-4 autoloading. The Packagist repository hosts over 350,000 packages. Nearly all modern PHP projects use Composer.