Top 15 PHP Interview Questions for Freshers with Answers
15 most-asked PHP questions: echo vs print, GET vs POST, sessions vs cookies, == vs ===, isset vs empty, SQL injection prevention and tricky outputs.
How to use this list
Language basics (1–6)
Q1. echo vs print?
Both are language constructs. echo takes multiple comma-separated values and returns nothing; print takes one value and returns 1, so only print can sit inside an expression. In practice, echo everywhere.
Q2. == vs ===?
== compares after type juggling (5 == "5" is true, and 0e-style "magic hashes" collide); === compares value and type with no conversion. Professional default is === — and strpos() results MUST use === false.
Q3. isset() vs empty()?
isset = exists and not null; empty = any falsy value including 0 and "0". Trap: never validate numeric fields with empty() — a genuine zero gets rejected.
Q4. include vs require (and _once)?
Same job; include warns and continues on a missing file, require throws a fatal and stops. Critical files (config, auth) → require; the _once versions skip repeat loads, preventing "Cannot redeclare" errors.
Q5. GET vs POST?
GET carries data in the URL — visible, ~2KB, bookmarkable, for read-only requests. POST carries it in the body — hidden from URL, supports uploads, required for anything that changes data. POST alone isn't security; HTTPS is.
Q6. What are PHP superglobals?
Built-in arrays available everywhere: $_GET, $_POST, $_REQUEST, $_SESSION, $_COOKIE, $_FILES, $_SERVER, $GLOBALS. They carry request data, uploaded files and server info into your script.
State and security (7–11)
Q7. Session vs cookie?
Cookie lives in the browser — user-readable and editable, long-lived, for preferences. Session lives on the server with only the ID in a cookie — tamper-proof, for login state and roles. Never store is_admin in a cookie.
Q8. How do you prevent SQL injection?
Prepared statements — user input travels separately from the SQL text via placeholders (PDO :named or ? positional). Never concatenate input into queries. Bonus mention: PDO::ERRMODE_EXCEPTION for clean errors.
Q9. How do you prevent XSS?
htmlspecialchars() on every piece of user input echoed into HTML — script tags become harmless text. Pair rule with Q8: output→escape, database→placeholders.
Q10. How should passwords be stored?
Never plain, never md5/sha1. Use password_hash($p, PASSWORD_DEFAULT) to store and password_verify($input, $hash) to check — automatic salting, future-proof algorithm.
Q11. What causes "headers already sent"?
Any output (even a space before <?php or after ?>) before header(), session_start() or setcookie() — headers must precede the body. Fix: session_start() first line, and omit the closing ?> in pure-PHP files.
Predict the output (12–15)
Q12.
$x = "5"; $y = 5;
var_dump($x == $y);
var_dump($x === $y);
true then false — juggling equalizes value; strict sees string vs int.
Q13.
$a = array(1, 2, 3);
$b = $a; // arrays COPY in PHP (unlike Python lists!)
$b[] = 4;
echo count($a);
3 — assignment copies the array; $a is untouched. (Objects, in contrast, share.)
Q14.
function addFive(&$n) { $n = $n + 5; }
$m = 10;
addFive($m);
echo $m;
15 — the & makes the parameter a reference; the function modified the original variable.
Q15.
echo 0.1 + 0.2 == 0.3 ? "equal" : "not equal";
not equal — floating point (0.30000000000000004). Compare floats with a tolerance or use round(); never == on money — store paise as integers.
Last-minute revision line
इस list को कैसे use करें
Language basics (1–6)
Q1. echo vs print?
दोनों language constructs. echo कई comma-separated values लेता है और कुछ return नहीं करता; print एक value लेकर 1 return करता है, इसलिए सिर्फ print expression में बैठ सकता है. Practice में हर जगह echo.
Q2. == vs ===?
== type juggling के बाद compare करता है (5 == "5" true, और 0e-वाली "magic hashes" टकरा जाती हैं); === value और type बिना conversion. Professional default === — और strpos() के results पर === false ज़रूरी.
Q3. isset() vs empty()?
isset = exist करता है और null नहीं; empty = हर falsy value, 0 और "0" समेत. Trap: numeric fields कभी empty() से validate न करें — सच्चा zero reject हो जाता है.
Q4. include vs require (और _once)?
काम same; file गायब होने पर include warn करके चलता रहता है, require fatal देकर रुकता है. Critical files (config, auth) → require; _once versions repeat loads skip करके "Cannot redeclare" रोकते हैं.
Q5. GET vs POST?
GET data URL में — दिखता है, ~2KB, bookmark होता है, read-only requests के लिए. POST body में — URL से छुपा, uploads support, data बदलने वाले हर काम के लिए ज़रूरी. अकेला POST security नहीं; HTTPS है.
Q6. PHP superglobals क्या हैं?
हर जगह available built-in arrays: $_GET, $_POST, $_REQUEST, $_SESSION, $_COOKIE, $_FILES, $_SERVER, $GLOBALS. ये request data, uploaded files और server info आपकी script तक लाते हैं.
State और security (7–11)
Q7. Session vs cookie?
Cookie browser में — user पढ़-बदल सकता है, लंबी उम्र, preferences के लिए. Session server पर, cookie में सिर्फ ID — tamper-proof, login state और roles के लिए. is_admin कभी cookie में नहीं.
Q8. SQL injection कैसे रोकते हैं?
Prepared statements — user input placeholders (PDO :named या ? positional) से SQL text से अलग सफर करता है. Input कभी queries में concatenate नहीं. Bonus में बोलें: साफ errors के लिए PDO::ERRMODE_EXCEPTION.
Q9. XSS कैसे रोकते हैं?
HTML में echo होने वाले हर user input पर htmlspecialchars() — script tags बेजान text बन जाते हैं. Q8 के साथ जोड़ी का rule: output→escape, database→placeholders.
Q10. Passwords कैसे store करें?
कभी plain नहीं, कभी md5/sha1 नहीं. Store के लिए password_hash($p, PASSWORD_DEFAULT), check के लिए password_verify($input, $hash) — automatic salting, future-proof algorithm.
Q11. "headers already sent" क्यों आता है?
header(), session_start() या setcookie() से पहले कोई भी output (यहां तक कि <?php से पहले या ?> के बाद एक space) — headers body से पहले जाने चाहिए. Fix: session_start() पहली line, और pure-PHP files में closing ?> हटा दें.
Output predict करें (12–15)
Q12.
$x = "5"; $y = 5;
var_dump($x == $y);
var_dump($x === $y);
true फिर false — juggling value बराबर कर देती है; strict को string vs int दिखता है.
Q13.
$a = array(1, 2, 3);
$b = $a; // PHP में arrays COPY होते हैं (Python lists के उलट!)
$b[] = 4;
echo count($a);
3 — assignment array copy करता है; $a अछूता. (Objects, इसके उलट, share होते हैं.)
Q14.
function addFive(&$n) { $n = $n + 5; }
$m = 10;
addFive($m);
echo $m;
15 — & parameter को reference बनाता है; function ने original variable बदल दिया.
Q15.
echo 0.1 + 0.2 == 0.3 ? "equal" : "not equal";
not equal — floating point (0.30000000000000004). Floats tolerance से compare करें या round() लगाएं; पैसों पर कभी == नहीं — paise integers में रखें.
Last-minute revision line
Frequently Asked Questions
What are the most asked PHP interview questions for freshers?
echo vs print, == vs ===, isset vs empty, include vs require, GET vs POST, session vs cookie, SQL injection prevention with prepared statements, XSS prevention with htmlspecialchars, and password_hash usage.
What are the two golden security rules in PHP?
Every user input echoed into HTML passes through htmlspecialchars() (stops XSS), and every input reaching SQL goes through prepared-statement placeholders (stops injection).
Why is 0.1 + 0.2 == 0.3 false in PHP?
Binary floating point cannot represent these decimals exactly, so the sum is 0.30000000000000004; compare floats with a tolerance and store money as integer paise.