PHP Security Best Practices Flashcards
(25 cards)
What is PHP security?
PHP security involves protecting PHP applications from threats like hacks, data breaches, and vulnerabilities.
Secure PHP code prevents attacks, ensuring data integrity and user trust. In WordPress, security is critical for plugins and themes. Freelancers secure client sites, while enterprise architects implement robust measures for high-stakes systems, aligning with your WordPress security interests.
What is input validation in PHP?
Input validation checks user data to ensure it meets expected formats, like validating an email.
Functions like filter_var($email, FILTER_VALIDATE_EMAIL) validate inputs. In WordPress, it secures form data. Freelancers validate client inputs, while enterprise architects enforce validation to prevent malicious data in large systems.
What is input sanitization in PHP?
Input sanitization cleans user data to remove harmful content, like filter_var($input, FILTER_SANITIZE_STRING).
Sanitization removes scripts or invalid characters. In WordPress, it’s used for post submissions. Freelancers sanitize data for safety, while enterprise architects ensure sanitized inputs for secure processing.
What is SQL injection in PHP?
SQL injection inserts malicious SQL into queries via unsanitized inputs.
For example, $id = $_GET[‘id’]; $sql = “SELECT * FROM users WHERE id = $id”; is vulnerable. In WordPress, $wpdb->prepare() prevents this. Freelancers secure queries, while enterprise architects enforce prepared statements, as seen in your database deck.
How do you prevent SQL injection in PHP?
Use prepared statements or escape inputs, like $stmt = $pdo->prepare(“SELECT * FROM users WHERE id = ?”);.
PDO or $wpdb->prepare() binds values safely. Freelancers protect WordPress plugins, while enterprise architects implement strict query security for enterprise databases.
What is Cross-Site Scripting (XSS) in PHP?
XSS injects malicious scripts into web pages viewed by users.
For example,
alert('Hacked'); in a form input. In WordPress, escaping output prevents XSS. Freelancers secure client forms, while enterprise architects enforce output escaping for system-wide protection.How do you prevent XSS in PHP?
Escape output with functions like htmlspecialchars($data, ENT_QUOTES, ‘UTF-8’).
Converts special characters to HTML entities. In WordPress, esc_html() is used. Freelancers apply it in templates, while enterprise architects ensure consistent escaping across applications.
What is Cross-Site Request Forgery (CSRF) in PHP?
CSRF tricks users into executing unwanted actions via forged requests.
For example, a malicious link updates a user’s profile. In WordPress, nonces prevent CSRF. Freelancers secure forms, while enterprise architects implement CSRF tokens for secure APIs.
How do you prevent CSRF in PHP?
Use CSRF tokens, like generating a unique token and validating it on form submission.
In WordPress, wp_nonce_field() creates tokens. Freelancers add nonces to client forms, while enterprise architects enforce token validation for secure transactions.
What is a nonce in PHP/WordPress?
A nonce is a one-time token to validate request authenticity.
In WordPress, wp_create_nonce() generates nonces, verified with wp_verify_nonce(). Freelancers secure plugin actions, while enterprise architects use nonces for API and form security, as in your WordPress security deck.
What is session management in PHP?
Session management tracks user data across requests using session_start() and $_SESSION.
In WordPress, sessions store login states. Freelancers manage sessions for user features, while enterprise architects secure sessions to prevent hijacking in large systems.
How do you secure PHP sessions?
Use session_regenerate_id(), secure cookies, and HTTPS, like session_set_cookie_params([‘secure’ => true]).
Prevents session fixation. In WordPress, secure sessions protect user logins. Freelancers implement secure sessions, while enterprise architects enforce encryption and timeouts.
What is password hashing in PHP?
Password hashing converts passwords into secure strings, like password_hash($password, PASSWORD_DEFAULT).
In WordPress, wp_hash_password() secures user passwords. Freelancers hash passwords for client logins, while enterprise architects use strong algorithms like bcrypt for compliance.
How do you verify a hashed password in PHP?
Use password_verify($password, $hash), which returns true if they match.
In WordPress, wp_check_password() verifies logins. Freelancers secure authentication, while enterprise architects ensure secure password validation in enterprise systems.
What is file inclusion vulnerability in PHP?
File inclusion allows attackers to include malicious files via inputs, like include $_GET[‘file’];.
In WordPress, it’s mitigated by validating includes. Freelancers avoid dynamic includes, while enterprise architects enforce strict file paths for security.
How do you prevent file inclusion attacks in PHP?
Use static includes or validate inputs, like include “safe_file.php”;.
In WordPress, require_once ensures safe inclusion. Freelancers secure plugin files, while enterprise architects restrict include paths in large codebases.
What is the filter_var() function in PHP?
filter_var() validates or sanitizes data, like filter_var($email, FILTER_VALIDATE_EMAIL).
In WordPress, it validates form inputs. Given your array manipulation experience, freelancers use it for client data, while enterprise architects enforce it for input safety.
What is the escapeshellarg() function in PHP?
escapeshellarg() escapes shell command arguments, like escapeshellarg($input).
Prevents command injection in system calls. Rarely used in WordPress, freelancers secure scripts, while enterprise architects protect server-side operations.
What is secure file upload handling in PHP?
Validate file types, sizes, and use move_uploaded_file(), like move_uploaded_file($_FILES[‘file’][‘tmp_name’], $dest).
In WordPress, it secures media uploads. Freelancers validate client uploads, while enterprise architects enforce strict checks for secure storage.
What is the principle of least privilege in PHP?
Grant only necessary permissions to users, files, or database accounts.
In WordPress, limit database user rights. Freelancers configure minimal permissions, while enterprise architects enforce least privilege for compliance and security.
What is error reporting in PHP security?
Disable error display in production to hide sensitive information, like ini_set(‘display_errors’, 0);.
In WordPress, WP_DEBUG is disabled live. Freelancers secure client sites, while enterprise architects log errors without exposing details.
What is HTTP security headers in PHP?
Headers like Content-Security-Policy protect against attacks, set via header().
For example, header(“Content-Security-Policy: default-src ‘self’”);. In WordPress, plugins add headers. Freelancers enhance client security, while enterprise architects enforce headers for enterprise-grade protection.
What is the openssl_encrypt() function in PHP?
openssl_encrypt() encrypts data, like $encrypted = openssl_encrypt($data, ‘AES-256-CBC’, $key);.
Used for sensitive data (e.g., payment info). In WordPress, it’s used in plugins. Freelancers secure client data, while enterprise architects implement encryption for compliance.
What is secure configuration in PHP?
Harden php.ini settings, like disable_functions = exec,shell_exec.
Limits dangerous functions. In WordPress, secure hosting configs are key. Freelancers configure client servers, while enterprise architects enforce strict settings for enterprise environments.
