10 Must Ask PHP Interview Questions For Hiring Managers

echo “Hello, World!”;

?>

$servername = “localhost”;

$username = “username”;

$password = “password”;

$dbname = “myDB”;

// Create connection

$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection

if ($conn->connect_error) {

  die(“Connection failed: ” . $conn->connect_error);

}

echo “Connected successfully”;

?>

• 0 <= count(array1), count(array2) <= 1000
• Each integer in the arrays will be in the range of [-1000, 1000].

array2 = [4, 6, 5];

    $resultArray = array_merge($array1, $array2);

    for ($i = 0; $i < count($resultArray); $i++) {

        for ($j = 0; $j < count($resultArray) – $i – 1; $j++) {

            if ($resultArray[$j] > $resultArray[$j + 1]) {

                $temp = $resultArray[$j];

                $resultArray[$j] = $resultArray[$j + 1];

                $resultArray[$j + 1] = $temp;

            }

        }

    }

    return $resultArray;

}

• Forgetting to handle the case when one of the arrays is empty.
• Incorrectly implementing the sorting algorithm, which could result in an unsorted or partially sorted array.
• Using PHP built-in sorting functions, which is against the task’s requirements.

• How would you optimize the sorting algorithm for better performance?
• Can you modify the function to handle arrays of strings or other types while maintaining the sort order?

1. operation (a string indicating the operation: “add”, “subtract”, “multiply”, or “divide”)
2. value1 (an integer or floating-point number)
3. value2 (an integer or floating-point number)

• The operation parameter will only be one of the following: “add“, “subtract“, “multiply“, or “divide“.
• value1 and value2 can be any integer or floating-point number.
• If the operation is “divide” and value2 is 0, return “Cannot divide by zero.”

value1 = 5;

value2 = 10;

    switch ($operation) {

        case “add”:

            return $value1 + $value2;

        case “subtract”:

            return $value1 – $value2;

        case “multiply”:

            return $value1 * $value2;

        case “divide”:

            if ($value2 == 0) {

                return “Cannot divide by zero.”;

            } else {

                return $value1 / $value2;

            }

        default:

            return “Invalid operation”;

    }

}

• Not handling the division by zero case could result in runtime errors.
• Incorrectly matching the operation strings (“add,” “subtract,” “multiply,” “divide”) leads to incorrect or no operations being performed.
• Returning the result as a string instead of a numeric value could cause type-related bugs in the calling code.

• How would you extend the function to support more complex operations or input formats, such as expressions in Reverse Polish Notation (RPN)?
• Can you implement error handling for unexpected input types, such as strings for value1 or value2?

• The input string may contain letters (both uppercase and lowercase), digits, and special characters.
• The function should validate the input to ensure it contains only letters and spaces before sanitization.

    // Validate the input

    if (!preg_match(“/^[a-zA-Z ]*$/”, $inputString)) {

        return “Invalid input”;

    }

    // Sanitize the input by removing digits and special characters

    $sanitizedInput = preg_replace(“/[^a-zA-Z ]/”, “”, $inputString);

    return $sanitizedInput;

}

• Failing to correctly implement the regular expression, leading to incorrect validation or sanitization.
• Not thoroughly testing the function with various input scenarios, including edge cases.
• Assuming the input is always a string and not handling other data types that could cause errors.

• How could you modify the function to allow other characters, such as punctuation marks, while still sanitizing harmful characters?
• Discuss the importance of input validation and sanitization in web development. How does it protect against common security threats?

• The script must handle GET requests specifically.
• Use the current server time in UTC format.

  “message”: “Hello, World!”,

  “time”: “2023-03-23T12:34:56+00:00”

}

if ($_SERVER[‘REQUEST_METHOD’] === ‘GET’) {

    header(‘Content-Type: application/json’);

    $currentTime = gmdate(“Y-m-d\TH:i:s\Z”);

    $response = array(“message” => “Hello, World!”, “time” => $currentTime);

    echo json_encode($response);

} else {

    http_response_code(405); // Method Not Allowed

    echo ‘This endpoint accepts GET requests only.’;

}

?>

• Not setting the correct content type for the response, causing issues with client-side processing of the response.
• Using the wrong function to generate the current time in UTC, resulting in incorrect time information being sent.
• Failing to handle request methods other than GET appropriately, potentially leading to unhandled requests or errors.

• How would you extend this script to handle other HTTP methods, such as POST, and accept data from the client?
• Discuss the importance of proper HTTP status codes in REST API design. How do they improve client-server communication?

• The input string may contain letters (both uppercase and lowercase), digits, and special characters.
• The function should validate the input to ensure it contains only letters and spaces before sanitization.

• If the credentials match the predefined set, return “Authentication successful”.
• Otherwise, return “Authentication failed”.

if ($_SERVER[‘REQUEST_METHOD’] === ‘POST’) {

    // Assuming username and password are passed as part of the form data in a POST request

    $username = $_POST[‘username’];

    $password = $_POST[‘password’];

    // Predefined valid credentials

    $validUsername = “admin”;

    $validPassword = “password123”;

    if ($username === $validUsername && $password === $validPassword) {

        echo “Authentication successful”;

    } else {

        echo “Authentication failed”;

    }

} else {

    // Respond with a 405 HTTP status code if not a POST request

    http_response_code(405);

    echo “This endpoint accepts POST requests only.”;

}

?>

• Failing to check the request method could lead to inappropriate handling of requests.
• Hardcoding credentials in the script, which is not a secure practice in real-world applications.
• Not sanitizing or validating user inputs could expose the application to security vulnerabilities like SQL injection or cross-site scripting (XSS).

• How would you improve this script’s security in a real-world application?
• Can you implement a session-based system to remember users after successfully authenticating them?

• The image file must be either JPEG or PNG format.
• The maximum file size allowed is 2MB.
• Ensure the upload directory exists and is writable.

• If the upload is successful, return “Upload successful.”
• If the file does not meet the validation criteria, return the reason, such as “Invalid file type” or “File size exceeds limit.”

if ($_SERVER[‘REQUEST_METHOD’] === ‘POST’ && isset($_FILES[‘image’])) {

    $uploadDirectory = “/uploads/”;

    $maxFileSize = 2 * 1024 * 1024; // 2MB

    $validFileTypes = [‘image/jpeg’, ‘image/png’];

    $file = $_FILES[‘image’];

    $fileType = $file[‘type’];

    $fileSize = $file[‘size’];

    if (!in_array($fileType, $validFileTypes)) {

        echo “Invalid file type”;

    } elseif ($fileSize > $maxFileSize) {

        echo “File size exceeds limit”;

    } else {

        $targetFilePath = $uploadDirectory . basename($file[‘name’]);

        if (move_uploaded_file($file[‘tmp_name’], $targetFilePath)) {

            echo “Upload successful”;

        } else {

            echo “Failed to upload file”;

        }

    }

} else {

    echo “No file uploaded or wrong request method”;

}

?>

• Failing to validate the file type and size can lead to security vulnerabilities or server issues due to large file uploads.
• Not properly checking if the upload directory exists and is writable could cause the file upload to fail.
• Handling the file upload appropriately, such as using the wrong variable names or missing the server configuration for file uploads.

• How would you implement additional security measures for the file upload process?
• Can you extend the script to handle multiple file uploads simultaneously?

• The routing system should only handle the two specified paths: /home and /about.
• If the path does not match any predefined routes, the script should return a 404 Not Found response.

$path = isset($_GET[‘path’]) ? $_GET[‘path’] : ”;

function homePage() {

    return “<h1>Home Page</h1>”;

}

function aboutPage() {

    return “<h1>About Page</h1>”;

}

switch ($path) {

    case ‘home’:

        echo homePage();

        break;

    case ‘about’:

        echo aboutPage();

        break;

    default:

        http_response_code(404);

        echo “<h1>404 Not Found</h1>”;

        break;

}

?>

• Not properly sanitizing or validating input could lead to security vulnerabilities.
• Failing to set an appropriate HTTP response code for unmatched paths can confuse users and search engines.
• Hardcoding the paths and response messages makes the script less flexible and harder to maintain.

• How would you extend this routing system to handle more complex routes or methods (e.g., POST)?
• Can you implement a way to dynamically load page content based on the route, possibly from external files or a database?

• To generate a token: No specific input; the action initiates token generation.
• To validate a token: The token string submitted by the user, typically through a form or API request.

• Tokens should be sufficiently random and secure for use in a production environment.
• The validation function should correctly identify whether the submitted token matches the stored token in the session.

• When generating a token: Return the token as a string.
• When validating a token: Return a boolean value indicating whether the token is valid.

• If the token matches the stored session token: true
• If the token does not match: false

function generateToken() {

    $token = bin2hex(random_bytes(32));

    $_SESSION[‘token’] = $token;

    return $token;

}

function validateToken($userToken) {

    if (isset($_SESSION[‘token’]) && $userToken === $_SESSION[‘token’]) {

        unset($_SESSION[‘token’]); // Prevent reuse

        return true;

    }

    return false;

}

// Example usage:

// Generating a token

$token = generateToken();

// Validating a token (assuming $userToken is received from user input)

$userToken = ‘abcdef123456’; // Example user-submitted token

$isValid = validateToken($userToken);

echo $isValid ? ‘true’ : ‘false’;

• Using insufficiently random or predictable methods for token generation, which could be exploited.
• Failing to remove the token from the session after validation, allowing potential reuse in CSRF or replay attacks.
• Not securely transmitting tokens, such as failing to use HTTPS, which could expose tokens to interception.

• How would you modify this script to handle tokens in a stateless, scalable application architecture?
• Discuss the importance of CSRF protection and the role of tokens in securing web applications.

• Assume the JSON file (data.json) initially contains an array of objects. Each object represents a user with properties like id, name, and email.
• The script should add a new key-value pair {“status”: “active”} to each user object.

• The script must check if the file exists before attempting to modify it.
• Proper error handling should be implemented for file operations and JSON encoding/decoding.

• The modified JSON data is written back to data.json, with each user object including the new status key.

  {“id”: 1, “name”: “John Doe”, “email”: “john@example.com”},

  {“id”: 2, “name”: “Jane Doe”, “email”: “jane@example.com”}

]

  {“id”: 1, “name”: “John Doe”, “email”: “john@example.com”, “status”: “active”},

  {“id”: 2, “name”: “Jane Doe”, “email”: “jane@example.com”, “status”: “active”}

]

$filePath = ‘data.json’;

// Check if the file exists

if (file_exists($filePath)) {

    // Load and decode the JSON data from the file

    $jsonData = file_get_contents($filePath);

    $dataArray = json_decode($jsonData, true);

    // Check if JSON data was decoded successfully

    if (is_array($dataArray)) {

        // Add a new key-value pair to each user object

        foreach ($dataArray as &$user) {

            $user[‘status’] = ‘active’;

        }

        unset($user); // Break the reference with the last element

        // Encode the modified array back into JSON

        $jsonData = json_encode($dataArray, JSON_PRETTY_PRINT);

        // Write the modified JSON data back to the file

        if (file_put_contents($filePath, $jsonData) === false) {

            echo “Error writing to file”;

        } else {

            echo “File updated successfully”;

        }

    } else {

        echo “Error decoding JSON”;

    }

} else {

    echo “File does not exist”;

}

?>

• Failing to check if the file exists before attempting operations could lead to errors.
• Not correctly handling the decode and encode process of JSON might result in data corruption or loss.
• Overlooking proper error handling for file and JSON operations, leading to silent failures or incorrect script behavior.

• How would you handle larger JSON files that might not fit into memory when using file_get_contents?
• Discuss the implications of directly modifying files like this in a web application. What concurrency issues might arise, and how could they be mitigated?

• The script receives two parameters: pageNumber and itemsPerPage.
• Assume the initial array of items (e.g., product names) is hardcoded within the script.

• pageNumber is a positive integer, with the first page being 1.
• itemsPerPage is a positive integer indicating how many items to display on each page.
• If pageNumber is beyond the last page, the script should return an empty array.

• The modified JSON data is written back to data.json, with each user object including the new status key.

• pageNumber: 2
• itemsPerPage: 5
• Initial array of items: [“Item 1”, “Item 2”, …, “Item 20”]

• For page 2 with 5 items per page: [“Item 6”, “Item 7”, “Item 8”, “Item 9”, “Item 10”]

function getPaginatedItems($items, $pageNumber, $itemsPerPage) {

    // Calculate the starting index

    $start = ($pageNumber – 1) * $itemsPerPage;

    // Extract the subset of items for the requested page

    $pagedItems = array_slice($items, $start, $itemsPerPage);

    return $pagedItems;

}

// Example usage

$items = [“Item 1”, “Item 2”, “Item 3”, “Item 4”, “Item 5”, 

          “Item 6”, “Item 7”, “Item 8”, “Item 9”, “Item 10”,

          “Item 11”, “Item 12”, “Item 13”, “Item 14”, “Item 15”,

          “Item 16”, “Item 17”, “Item 18”, “Item 19”, “Item 20”];

$pageNumber = 2;

$itemsPerPage = 5;

$pagedItems = getPaginatedItems($items, $pageNumber, $itemsPerPage);

print_r($pagedItems);

?>

• Off-by-one errors, especially in calculating the start index for slicing the array.
• Not handling cases where the pageNumber parameter is beyond the last page, which should return an empty array rather than causing an error.
• Failing to validate input parameters, potentially leading to unexpected behavior with invalid inputs.

• How would you handle invalid input parameters, such as non-integer or negative page numbers?
• Can you extend this functionality to support sorting of items before pagination?