Web Programming Fundamentals

PHP applications live inside the HTTP request-and-response cycle. Understanding that cycle makes routing, forms, authentication, APIs, caching, and debugging much easier.

The Request Cycle

  1. The browser resolves the host. DNS returns the address of the web server or reverse proxy.
  2. A connection is established. HTTPS adds TLS negotiation before HTTP data is exchanged.
  3. The browser sends a request. The request includes a method, path, headers, and sometimes a body.
  4. The web server invokes PHP. Apache, nginx with PHP-FPM, or another server passes the request to the application.
  5. The application runs. It validates input, loads data, applies business rules, and produces a response.
  6. The browser receives the response. It uses the status code, headers, and body to decide what to display or do next.
GET /customers/42 HTTP/1.1
Host: example.test
Accept: text/html
Cookie: session_id=abc123

HTTP Methods and Intent

MethodTypical purposeExpected behavior
GETRead a page or resourceShould not create, modify, or delete data.
POSTCreate or submit an actionUsually has a request body and may change state.
PUTReplace a resourceCommon in APIs and generally idempotent.
PATCHPartially update a resourceChanges only specified fields.
DELETERemove a resourceShould require authorization and CSRF protection in browser applications.
Do not use a GET link for destructive actions. Crawlers, browser prefetching, and accidental clicks can follow links. Use a state-changing method and verify authorization.

Status Codes Are Part of the Interface

CodeUse
200 OKA normal successful response.
201 CreatedA resource was created successfully.
204 No ContentThe action succeeded and no body is needed.
302 Found / 303 See OtherRedirect after an action, often following a successful form POST.
400 Bad RequestThe request is malformed.
401 UnauthorizedAuthentication is required or invalid.
403 ForbiddenThe identity is known but lacks permission.
404 Not FoundThe requested resource does not exist or should not be revealed.
422 Unprocessable ContentThe request is structurally valid but fails validation.
500 Internal Server ErrorAn unexpected application failure occurred.

Headers, Content Types, and Cookies

Headers carry metadata about the request and response. Applications commonly inspect Accept, Content-Type, authorization headers, forwarding headers from a trusted reverse proxy, and caching headers.

<?php
declare(strict_types=1);

header('Content-Type: application/json; charset=utf-8');
header('Cache-Control: no-store');

http_response_code(200);
echo json_encode(
    ['status' => 'ok'],
    JSON_THROW_ON_ERROR
);

HTTP Is Stateless

Each request stands alone. Sessions create continuity by storing data on the server and associating it with a session identifier in a cookie. Authentication should never depend solely on hidden form fields or query-string values because the client controls them.

Know Which Data You Can Trust

  • Everything from $_GET, $_POST, cookies, JSON bodies, and uploaded files is untrusted.
  • Headers can be forged unless a trusted reverse proxy replaces or validates them.
  • Database values may still require escaping when rendered into HTML.
  • Authorization must be checked on every protected action, not only when the menu is displayed.
  • Validation answers “is this input acceptable?” while escaping answers “is this output safe in this context?”