Skip to main content

Overview

S-PHP provides a collection of helper functions to simplify common development tasks such as asset management, security, redirects, and environment configuration.

Asset Management

asset()

Generates a URL path for public assets. 
function asset($path)
path
string
required
The relative path to the asset file
Returns
string
The full path to the asset prefixed with /public/

Usage Example

// In your view/template
<link rel="stylesheet" href="<?= asset('css/style.css') ?>">
<!-- Output: <link rel="stylesheet" href="/public/css/style.css"> -->

<script src="<?= asset('js/app.js') ?>"></script>
<!-- Output: <script src="/public/js/app.js"></script> -->

<img src="<?= asset('images/logo.png') ?>" alt="Logo">
<!-- Output: <img src="/public/images/logo.png" alt="Logo"> -->

Security

sanitizeHtml()

Sanitizes HTML input by removing dangerous content while preserving safe tags. 
function sanitizeHtml($input)
input
string|array
required
The input to sanitize. Can be a string or array of strings.
Returns
string|array
The sanitized input with dangerous content removed

Allowed Tags

<p>, <br>, <b>, <strong>, <i>, <em>, <ul>, <ol>, <li>, <a>, <img>, <blockquote>, <span>, <div>, <h1>, <h2>, <h3>, <h4>, <h5>, <h6>

Usage Example

// Sanitize user input
$userInput = $_POST['content'];
$clean = sanitizeHtml($userInput);

// Sanitize array of inputs
$comments = [
    '<script>alert("XSS")</script>Hello',
    '<p onclick="alert()">Safe paragraph</p>'
];
$cleanComments = sanitizeHtml($comments);
// Result: ['Hello', '<p>Safe paragraph</p>']

Features

  • Removes <script> and <style> tags
  • Strips event handlers (onclick, onload, etc.)
  • Removes inline styles
  • Blocks dangerous protocols (javascript:, data:) except for valid base64 images
  • Recursively sanitizes arrays

csrf()

Generates and outputs a hidden CSRF token input field. 
function csrf()
Returns
void
Echoes a hidden input field containing the CSRF token

Usage Example

<form method="POST" action="/submit">
    <?php csrf(); ?>
    <!-- Output: <input type="hidden" name="csrf_token" value="...token..."> -->
    
    <input type="text" name="username">
    <button type="submit">Submit</button>
</form>

validateCsrfToken()

Validates a CSRF token against the session token. 
function validateCsrfToken($token)
token
string
required
The CSRF token to validate (typically from form submission)
Returns
bool
Returns true if the token is valid, false otherwise

Usage Example

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $token = $_POST['csrf_token'] ?? '';
    
    if (!validateCsrfToken($token)) {
        die('Invalid CSRF token');
    }
    
    // Process the form
    // ...
}

Routing

redirect()

Redirects the user to a specified URL with an optional flash message. 
function redirect($url, $message = "")
url
string
required
The URL to redirect to
message
string
default:""
Optional flash message to store in the session
Returns
void
Sends a Location header to redirect the browser

Usage Example

// Simple redirect
redirect('/dashboard');

// Redirect with flash message
redirect('/login', 'Please log in to continue');

// In the destination page, retrieve the message:
if (isset($_SESSION['message'])) {
    echo $_SESSION['message'];
    unset($_SESSION['message']);
}

Environment Configuration

loadEnv()

Loads environment variables from a .env file. 
function loadEnv($filePath)
filePath
string
required
The path to the .env file
Returns
bool
Returns true on success, or calls dd() if the file is not found

.env File Format

DB_HOST=localhost
DB_NAME=myapp
DB_USER=root
DB_PASS=secret
APP_ENV=development

Usage Example

// Load environment variables
loadEnv(__DIR__ . '/.env');

// Access variables using env()
$dbHost = env('DB_HOST');

env()

Retrieves an environment variable value. 
function env($key, $default = null)
key
string
required
The environment variable name
default
mixed
default:"null"
The default value to return if the variable is not set
Returns
mixed
The environment variable value or the default value

Usage Example

// Get environment variable
$dbHost = env('DB_HOST', 'localhost');
$dbPort = env('DB_PORT', 3306);
$appEnv = env('APP_ENV', 'production');

// Use in configuration
$config = [
    'host' => env('DB_HOST'),
    'database' => env('DB_NAME'),
    'username' => env('DB_USER'),
    'password' => env('DB_PASS'),
];

Debugging

dd()

Dump and die - outputs a variable’s contents and terminates script execution. 
function dd($arr)
arr
mixed
required
The variable to dump (can be any type, not just arrays)
Returns
void
Outputs the variable contents in a formatted <pre> block and stops execution

Usage Example

// Debug an array
$users = ['Alice', 'Bob', 'Charlie'];
dd($users);
// Script execution stops here

// Debug an object
$user = new User();
dd($user);

// Debug request data
dd($_POST);

// Debug environment variables
dd($_ENV);

Output Example

Array
(
    [0] => Alice
    [1] => Bob
    [2] => Charlie
)

Notes

  • All helper functions are globally available without needing to import or use namespaces
  • CSRF tokens are stored in the session and should be validated on all state-changing requests
  • The sanitizeHtml() function is designed for content that needs to preserve some HTML formatting while being safe from XSS attacks
  • Always use env() to access environment variables rather than directly accessing $_ENV or $_SERVER

Build docs developers (and LLMs) love

Get started for freeTalk to us