10 PHP Security Interview Questions and Answers

PHP remains a cornerstone in web development, powering a significant portion of websites and applications. Its flexibility and ease of use make it a popular choice for developers, but with its widespread adoption comes the critical need for robust security practices. Understanding PHP security is essential for safeguarding applications against common vulnerabilities and ensuring data integrity.

This article offers a curated selection of PHP security questions and answers to help you prepare for technical interviews. By familiarizing yourself with these topics, you’ll be better equipped to demonstrate your knowledge of secure coding practices and address potential security concerns effectively.

PHP Security Interview Questions and Answers

1. Explain how SQL Injection works and provide an example of how to prevent it in PHP.

SQL Injection works by inserting malicious SQL code into a query. For example, consider a login form where the user inputs a username and password. If these inputs are directly included in an SQL query without proper sanitization, an attacker can manipulate the query to bypass authentication.

Example of vulnerable code:

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $query);

In this example, if an attacker inputs admin' -- as the username and anything as the password, the query becomes:

SELECT * FROM users WHERE username = 'admin' --' AND password = 'anything'

The -- comment sequence causes the rest of the query to be ignored, effectively bypassing the password check.

To prevent SQL Injection, use prepared statements with parameterized queries. This ensures that user input is treated as data and not executable code.

Example of secure code:

$stmt = $conn->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();

2. What is Cross-Site Scripting (XSS) and how can you mitigate it in a PHP application? Provide code examples.

Cross-Site Scripting (XSS) allows attackers to inject scripts into content from trusted websites. These scripts can execute in the user’s browser, leading to activities like stealing cookies or session tokens.

To mitigate XSS in a PHP application, you can:

• Sanitize User Input: Remove potentially harmful code from user inputs.
• Escape Output: Ensure data is escaped before rendering in the browser.
• Use Security Headers: Implement Content Security Policy (CSP) headers to restrict script sources.

Example of sanitizing and escaping data in PHP:

// Sanitize user input
$user_input = filter_input(INPUT_GET, 'user_input', FILTER_SANITIZE_STRING);

// Escape output before rendering
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');

3. Describe the concept of Cross-Site Request Forgery (CSRF) and demonstrate how to implement CSRF protection in a PHP form.

Cross-Site Request Forgery (CSRF) forces users to execute unwanted actions on a web application where they are authenticated. CSRF attacks target state-changing requests, not data theft, as the attacker cannot see the response.

To protect against CSRF attacks in PHP, use tokens. A CSRF token is a unique, secret value generated by the server and included in subsequent HTTP requests. The server validates the token to ensure the request is legitimate.

Example:

// Generate a CSRF token
session_start();
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

// Include the CSRF token in the form
?>
<form method="POST" action="process_form.php">
    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
    <!-- Other form fields -->
    <input type="submit" value="Submit">
</form>
<?php

// Validate the CSRF token in process_form.php
session_start();
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
        // Invalid CSRF token
        die('Invalid CSRF token');
    }
    // Process the form
}

4. How would you securely handle file uploads in PHP to prevent vulnerabilities? Include code snippets in your explanation.

To securely handle file uploads in PHP, follow these practices:

• Validate the file type: Ensure the uploaded file is of an allowed type.
• Check the file size: Limit the size of the uploaded file.
• Rename the file: Use a unique name for the uploaded file.
• Store the file securely: Save the file in a directory that is not publicly accessible.

Example:

<?php
$allowedTypes = ['image/jpeg', 'image/png', 'application/pdf'];
$maxFileSize = 2 * 1024 * 1024; // 2 MB
$uploadDir = 'uploads/';

if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['file'])) {
    $file = $_FILES['file'];
    
    // Validate file type
    if (!in_array($file['type'], $allowedTypes)) {
        die('Invalid file type.');
    }
    
    // Check file size
    if ($file['size'] > $maxFileSize) {
        die('File size exceeds the limit.');
    }
    
    // Generate a unique file name
    $fileName = uniqid() . '-' . basename($file['name']);
    $filePath = $uploadDir . $fileName;
    
    // Move the file to the secure directory
    if (move_uploaded_file($file['tmp_name'], $filePath)) {
        echo 'File uploaded successfully.';
    } else {
        echo 'File upload failed.';
    }
}
?>

5. What are prepared statements and how do they help in preventing SQL Injection attacks? Provide a code example using PDO.

Prepared statements in PHP execute SQL queries securely by using placeholders for parameters and binding actual values before execution. This ensures user input is treated as data, preventing SQL Injection attacks.

Example using PDO:

<?php
$dsn = 'mysql:host=localhost;dbname=testdb';
$username = 'root';
$password = '';

try {
    $pdo = new PDO($dsn, $username, $password);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email');
    $stmt->bindParam(':email', $email);

    $email = '[email protected]';
    $stmt->execute();

    $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
    print_r($result);

} catch (PDOException $e) {
    echo 'Connection failed: ' . $e->getMessage();
}
?>

6. What is the purpose of the htmlspecialchars() function in PHP? Provide an example of its usage.

The htmlspecialchars() function in PHP converts special characters to HTML entities, helping prevent XSS attacks. By converting characters like <, >, &, and " to their respective HTML entities, the function ensures potentially malicious code is displayed as plain text.

Example:

$input = '<script>alert("XSS Attack!");</script>';
$safe_input = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');

echo $safe_input;
// Output: <script>alert("XSS Attack!");</script>

7. Explain the concept of password hashing and demonstrate how to hash passwords securely in PHP using the password_hash() function.

Password hashing converts a plain text password into a fixed-length string, typically a hash value, to ensure that even if hashed passwords are exposed, the original passwords cannot be easily retrieved. Hashing is a one-way function, meaning it is computationally infeasible to reverse the hash back to the original password.

In PHP, the password_hash() function creates a secure hash of a password. This function automatically handles the generation of a cryptographic salt and uses a strong hashing algorithm (by default, bcrypt). The use of salts ensures that even if two users have the same password, their hashed passwords will be different.

Example:

$password = 'securepassword123';
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);

echo $hashedPassword;

8. How would you prevent directory traversal attacks in a PHP application? Provide a code example.

Directory traversal attacks can be prevented by validating and sanitizing user inputs, using secure functions, and implementing proper access controls. One effective method is to use realpath() to resolve the absolute path and ensure it is within the intended directory.

Example:

function secure_file_access($file) {
    $base_dir = '/var/www/html/uploads/';
    $real_path = realpath($base_dir . $file);

    if (strpos($real_path, $base_dir) === 0 && file_exists($real_path)) {
        return file_get_contents($real_path);
    } else {
        return 'Access Denied';
    }
}

// Usage
echo secure_file_access('example.txt');

In this example, the realpath() function resolves the absolute path of the file, and strpos() ensures that the resolved path starts with the base directory. This prevents access to files outside the intended directory.

9. Explain how to handle cookies securely in PHP. Include examples of setting secure attributes.

Handling cookies securely in PHP involves setting specific attributes when creating cookies:

• Secure Attribute: Ensures the cookie is only sent over HTTPS.
• HttpOnly Attribute: Prevents the cookie from being accessed via JavaScript.
• SameSite Attribute: Helps mitigate CSRF attacks by controlling how cookies are sent with cross-site requests.

Example:

setcookie(
    "example_cookie", 
    "cookie_value", 
    [
        "expires" => time() + 3600, // 1 hour
        "path" => "/",
        "domain" => "example.com",
        "secure" => true, // Only send over HTTPS
        "httponly" => true, // Not accessible via JavaScript
        "samesite" => "Strict" // Mitigate CSRF
    ]
);

10. How would you encrypt sensitive data in PHP? Provide examples of encryption and decryption.

Encrypting sensitive data in PHP can be done using the openssl extension. The openssl_encrypt and openssl_decrypt functions are commonly used for this purpose.

Example:

<?php
// Define the data to be encrypted
$data = "Sensitive Data";

// Define a secret key
$secret_key = "my_secret_key";

// Define the encryption method
$method = "AES-256-CBC";

// Generate an initialization vector (IV)
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($method));

// Encrypt the data
$encrypted_data = openssl_encrypt($data, $method, $secret_key, 0, $iv);

// Encode the encrypted data and IV for storage
$encrypted_data = base64_encode($encrypted_data . '::' . $iv);

// Decrypt the data
list($encrypted_data, $iv) = explode('::', base64_decode($encrypted_data), 2);
$decrypted_data = openssl_decrypt($encrypted_data, $method, $secret_key, 0, $iv);

echo "Encrypted Data: " . $encrypted_data . "\n";
echo "Decrypted Data: " . $decrypted_data . "\n";
?>