All our web hosting packages include PHP programming language support as standard. PHP is the most popular technology for producing dynamic web services, and most applications for maintaining websites and online stores, such as WordPress, WooCommerce, Joomla, Drupal, Prestashop, Zen Cart and many others are made with this programming language.
Typically, however, website or online store designers nowadays don't need to know how to program or even install ready-made applications manually, as installation is done automatically with control panel tools. For example, WordPress installation is done on our server using a tool called
WordPress Toolkit. This guide is mainly intended for understanding the basics of the PHP programming language and for those who program themselves or use PHP-based scripts and applications made by others. Understanding the basics of PHP programming is not harmful, as it also helps in understanding how ready-made content management systems work, customizing software, and independently resolving various fault situations.
Running PHP files
PHP files are placed in the same location as traditional HTML website files. On our server, this location is the httpdocs directory found in the home directory.
Unlike static HTML files (e.g., index.html), PHP files are named with a .php extension (e.g., index.php), so the server's interpreter understands to compile and run the PHP program code found in the file. Unlike other HTML content, sections containing program code always start with the marking <?php and end with the marking ?>, between which the executable program code is placed.
If you are interested in learning PHP programming, for beginners we recommend, for example,
w3schools.com's PHP tutorials, which are a great way to get started. Often
MySQL databases are also used with the PHP programming language for efficient data storage and retrieval. Most of our web hosting packages also include MySQL support as standard.
Security considerations
Any dynamic application that can be influenced from a public location externally (such as from the web) always poses a potential security threat. When installing third-party PHP applications, you should always remember a few important security points:
- Only install PHP programs downloaded from trusted sources. Download the software package from the software manufacturer's own website, not from third-party sites. Install the software following the application manufacturer's instructions exactly (including setting the instructed file permissions, removing any install file, and using sufficiently secure passwords).
- Remember to update the software regularly following the software manufacturer's instructions so that the installation remains secure and malware cannot access your disk space through potential application vulnerabilities
When programming applications yourself, it's important to be aware of at least a few security basics:
- All data from external inputs (web forms, cookies, web services, server variables, and database queries) must always be sanitized (i.e., cleaned) before saving or other processing.
- Especially data retrieved from forms using POST or GET methods should, in addition to cleaning, always be handled in such a way that no program code can be executed through it at the target
- If data is printed to the screen (with echo or print commands), it must first be processed at least with htmlspecialchars and possibly also with strip_tags to avoid various XML injections.
- If data is saved to a MySQL database, it must additionally be processed through PHP's mysqli_real_escape_string (or even better, useprepared statements) to avoid various SQL injections. By far the best and most secure option for commanding the database is to use PDO and prepared statements, although it requires more effort and familiarization from the programmer at first.
- If the data used is used to run shell commands (requires own server environment with special permissions) e.g., with the exec command, the data must also be cleaned with escapeshellcmd and escapeshellarg commands
Enabling PHP error messages
By default, publicly visible PHP error messages are blocked on our servers for security reasons, and when an error occurs, a white screen is displayed in the browser. You can see some errors from the Plesk control panel under Websites & Domains -> Logs, but this only applies to Apache and Nginx server-level errors and generally doesn't show all PHP error messages. If desired, you can request our customer support to enable PHP error messages for your web hosting or development environment where you do software development, or for other reasons need to see error messages from faulty PHP scripts by default in your web hosting.
However, we primarily recommend managing these settings directly from the PHP program's own settings level. So you can also control PHP error message settings from within the application by setting at the beginning of your application's PHP program code:
error_reporting(E_ALL);
ini_set("display_errors", 1);
For security reasons, PHP error messages should only be displayed during the software development phase (and even then, for example, the software being developed should be protected with a
password). When the software is made public, the PHP error message setting should be restored to original
("display errors", 0), so error messages are not displayed.
However, using the setting requires that you have implemented the software structure so that the error does not occur in this program file where the setting is set (e.g., a separate settings file that is run at the beginning), and PHP has time to run the file before running the faulty file. (The PHP interpreter compiles the file completely before printing the error message, so the setting cannot be set through a faulty PHP file). As a simplified example, if the program you've implemented consists of one file (e.g., program.php) and an error occurs in it that you would like to see, this can be done by creating a new file in the same directory (e.g., error.php) with the content:
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
include("program.php");
?>
Then by running (opening in a browser) this file error.php, you will see the error message from the file program.php.
Enabling PHP error messages and error log in WordPress
If you use WordPress, you can enable PHP error messages by editing the wp-config.php file and adding the line:
define( 'WP_DEBUG', true );
if you want error messages to be logged to a log file, also add the line:
define( 'WP_DEBUG_LOG', true );
Then WordPress PHP error messages will be logged to the debug.log file found in the wp-content directory. After you have located the error, remember to turn off error messages again for security reasons on production sites.
