Free tutorials in Hindi & English Daily computer, mobile and IT guides Beginner friendly learning
Blog · PHP · 04 Jul 2026 · Hindi + English

Top 15 PHP Interview Questions for Freshers with Answers

15 most-asked PHP questions: echo vs print, GET vs POST, sessions vs cookies, == vs ===, isset vs empty, SQL injection prevention and tricky outputs.

How to use this list

These 15 questions are what PHP fresher interviews actually revolve around — concepts, security, and predict-the-output. Answers are phrased the way you should say them out loud.

Language basics (1–6)

Q1. echo vs print?

Both are language constructs. echo takes multiple comma-separated values and returns nothing; print takes one value and returns 1, so only print can sit inside an expression. In practice, echo everywhere.

Q2. == vs ===?

== compares after type juggling (5 == "5" is true, and 0e-style "magic hashes" collide); === compares value and type with no conversion. Professional default is === — and strpos() results MUST use === false.

Q3. isset() vs empty()?

isset = exists and not null; empty = any falsy value including 0 and "0". Trap: never validate numeric fields with empty() — a genuine zero gets rejected.

Q4. include vs require (and _once)?

Same job; include warns and continues on a missing file, require throws a fatal and stops. Critical files (config, auth) → require; the _once versions skip repeat loads, preventing "Cannot redeclare" errors.

Q5. GET vs POST?

GET carries data in the URL — visible, ~2KB, bookmarkable, for read-only requests. POST carries it in the body — hidden from URL, supports uploads, required for anything that changes data. POST alone isn't security; HTTPS is.

Q6. What are PHP superglobals?

Built-in arrays available everywhere: $_GET, $_POST, $_REQUEST, $_SESSION, $_COOKIE, $_FILES, $_SERVER, $GLOBALS. They carry request data, uploaded files and server info into your script.

State and security (7–11)

Q7. Session vs cookie?

Cookie lives in the browser — user-readable and editable, long-lived, for preferences. Session lives on the server with only the ID in a cookie — tamper-proof, for login state and roles. Never store is_admin in a cookie.

Q8. How do you prevent SQL injection?

Prepared statements — user input travels separately from the SQL text via placeholders (PDO :named or ? positional). Never concatenate input into queries. Bonus mention: PDO::ERRMODE_EXCEPTION for clean errors.

Q9. How do you prevent XSS?

htmlspecialchars() on every piece of user input echoed into HTML — script tags become harmless text. Pair rule with Q8: output→escape, database→placeholders.

Q10. How should passwords be stored?

Never plain, never md5/sha1. Use password_hash($p, PASSWORD_DEFAULT) to store and password_verify($input, $hash) to check — automatic salting, future-proof algorithm.

Q11. What causes "headers already sent"?

Any output (even a space before <?php or after ?>) before header(), session_start() or setcookie() — headers must precede the body. Fix: session_start() first line, and omit the closing ?> in pure-PHP files.

Predict the output (12–15)

Q12.

$x = "5"; $y = 5;
var_dump($x == $y);
var_dump($x === $y);

true then false — juggling equalizes value; strict sees string vs int.

Q13.

$a = array(1, 2, 3);
$b = $a;              // arrays COPY in PHP (unlike Python lists!)
$b[] = 4;
echo count($a);

3 — assignment copies the array; $a is untouched. (Objects, in contrast, share.)

Q14.

function addFive(&$n) { $n = $n + 5; }
$m = 10;
addFive($m);
echo $m;

15 — the & makes the parameter a reference; the function modified the original variable.

Q15.

echo 0.1 + 0.2 == 0.3 ? "equal" : "not equal";

not equal — floating point (0.30000000000000004). Compare floats with a tolerance or use round(); never == on money — store paise as integers.

Last-minute revision line

Five things that carry the round: === everywhere (and why), prepared statements + htmlspecialchars (the security pair), session vs cookie (server vs browser), isset/empty zero-trap, and password_hash/password_verify. Speak these confidently and the interview tilts your way.

इस list को कैसे use करें

PHP fresher interviews असल में इन्हीं 15 questions के इर्द-गिर्द घूमते हैं — concepts, security, और predict-the-output. Answers वैसे लिखे हैं जैसे बोलकर सुनाने चाहिए.

Language basics (1–6)

Q1. echo vs print?

दोनों language constructs. echo कई comma-separated values लेता है और कुछ return नहीं करता; print एक value लेकर 1 return करता है, इसलिए सिर्फ print expression में बैठ सकता है. Practice में हर जगह echo.

Q2. == vs ===?

== type juggling के बाद compare करता है (5 == "5" true, और 0e-वाली "magic hashes" टकरा जाती हैं); === value और type बिना conversion. Professional default === — और strpos() के results पर === false ज़रूरी.

Q3. isset() vs empty()?

isset = exist करता है और null नहीं; empty = हर falsy value, 0 और "0" समेत. Trap: numeric fields कभी empty() से validate न करें — सच्चा zero reject हो जाता है.

Q4. include vs require (और _once)?

काम same; file गायब होने पर include warn करके चलता रहता है, require fatal देकर रुकता है. Critical files (config, auth) → require; _once versions repeat loads skip करके "Cannot redeclare" रोकते हैं.

Q5. GET vs POST?

GET data URL में — दिखता है, ~2KB, bookmark होता है, read-only requests के लिए. POST body में — URL से छुपा, uploads support, data बदलने वाले हर काम के लिए ज़रूरी. अकेला POST security नहीं; HTTPS है.

Q6. PHP superglobals क्या हैं?

हर जगह available built-in arrays: $_GET, $_POST, $_REQUEST, $_SESSION, $_COOKIE, $_FILES, $_SERVER, $GLOBALS. ये request data, uploaded files और server info आपकी script तक लाते हैं.

State और security (7–11)

Q7. Session vs cookie?

Cookie browser में — user पढ़-बदल सकता है, लंबी उम्र, preferences के लिए. Session server पर, cookie में सिर्फ ID — tamper-proof, login state और roles के लिए. is_admin कभी cookie में नहीं.

Q8. SQL injection कैसे रोकते हैं?

Prepared statements — user input placeholders (PDO :named या ? positional) से SQL text से अलग सफर करता है. Input कभी queries में concatenate नहीं. Bonus में बोलें: साफ errors के लिए PDO::ERRMODE_EXCEPTION.

Q9. XSS कैसे रोकते हैं?

HTML में echo होने वाले हर user input पर htmlspecialchars() — script tags बेजान text बन जाते हैं. Q8 के साथ जोड़ी का rule: output→escape, database→placeholders.

Q10. Passwords कैसे store करें?

कभी plain नहीं, कभी md5/sha1 नहीं. Store के लिए password_hash($p, PASSWORD_DEFAULT), check के लिए password_verify($input, $hash) — automatic salting, future-proof algorithm.

Q11. "headers already sent" क्यों आता है?

header(), session_start() या setcookie() से पहले कोई भी output (यहां तक कि <?php से पहले या ?> के बाद एक space) — headers body से पहले जाने चाहिए. Fix: session_start() पहली line, और pure-PHP files में closing ?> हटा दें.

Output predict करें (12–15)

Q12.

$x = "5"; $y = 5;
var_dump($x == $y);
var_dump($x === $y);

true फिर false — juggling value बराबर कर देती है; strict को string vs int दिखता है.

Q13.

$a = array(1, 2, 3);
$b = $a;              // PHP में arrays COPY होते हैं (Python lists के उलट!)
$b[] = 4;
echo count($a);

3 — assignment array copy करता है; $a अछूता. (Objects, इसके उलट, share होते हैं.)

Q14.

function addFive(&$n) { $n = $n + 5; }
$m = 10;
addFive($m);
echo $m;

15 — & parameter को reference बनाता है; function ने original variable बदल दिया.

Q15.

echo 0.1 + 0.2 == 0.3 ? "equal" : "not equal";

not equal — floating point (0.30000000000000004). Floats tolerance से compare करें या round() लगाएं; पैसों पर कभी == नहीं — paise integers में रखें.

Last-minute revision line

पांच चीज़ें जो round निकाल देती हैं: हर जगह === (और क्यों), prepared statements + htmlspecialchars (security की जोड़ी), session vs cookie (server vs browser), isset/empty का zero-trap, और password_hash/password_verify. ये confidence से बोले तो interview आपकी तरफ झुक जाता है.

Frequently Asked Questions

What are the most asked PHP interview questions for freshers?

echo vs print, == vs ===, isset vs empty, include vs require, GET vs POST, session vs cookie, SQL injection prevention with prepared statements, XSS prevention with htmlspecialchars, and password_hash usage.

What are the two golden security rules in PHP?

Every user input echoed into HTML passes through htmlspecialchars() (stops XSS), and every input reaching SQL goes through prepared-statement placeholders (stops injection).

Why is 0.1 + 0.2 == 0.3 false in PHP?

Binary floating point cannot represent these decimals exactly, so the sum is 0.30000000000000004; compare floats with a tolerance and store money as integer paise.