PHP Cheatsheet
Scope
This cheatsheet is a lookup reference for PHP used in real WordPress work. It covers core PHP language features, common standard-library functions, security boundaries, and the WordPress APIs most frequently used in themes, plugins, REST routes, AJAX handlers, admin screens, WooCommerce extensions, and production maintenance.
Sections
- PHP Syntax and Runtime
- Types, Comparisons, and Values
- Arrays and Data Shaping
- Strings, Numbers, Dates, and Formatting
- Functions, Scope, Includes, and Namespaces
- Object-Oriented PHP
- Errors, Exceptions, Logging, and Debugging
- Files, Uploads, Streams, and JSON
- Security, Validation, Sanitization, and Escaping
- Database, SQL, PDO, and WordPress wpdb
- HTTP, Sessions, Cookies, and APIs
- Composer, Autoloading, Testing, and Tooling
- WordPress PHP API Cheatsheet
Golden Rules
| Rule | Why It Matters |
|---|---|
| Validate input | Reject values your feature should never accept |
| Sanitize before storage | Normalize values before they become durable data |
| Escape output | Prevent broken markup and cross-site scripting |
| Check capabilities | Prevent unauthorized reads and writes |
| Use prepared SQL | Prevent SQL injection |
| Avoid editing core | Keep updates safe and reversible |
| Log safely | Debug without exposing secrets |