🔐 PHP Security Interview Questions
🟢 Beginner Level
1. What is SQL Injection?
👉 A vulnerability where attacker inserts malicious SQL into input fields to manipulate database.
2. How do you prevent SQL Injection in PHP?
👉 Using:
- Prepared Statements (PDO / MySQLi)
- Parameterized queries
3. What is XSS?
👉 Cross-Site Scripting allows attackers to inject JavaScript into web pages viewed by other users.
4. How to prevent XSS in PHP?
👉 Use:
htmlspecialchars($data, ENT_QUOTES, 'UTF-8');5. What is CSRF?
👉 Cross-Site Request Forgery tricks users into performing unwanted actions.
6. How to prevent CSRF?
👉 Use CSRF tokens stored in session and validated on form submission.
7. What is password hashing?
👉 Converting password into secure hash so original password is not stored.
8. Which function is used for password hashing in PHP?
👉 password_hash()
9. How to verify password?
👉 password_verify()
10. What is data sanitization?
👉 Cleaning user input to remove unwanted or harmful data.
🟡 Intermediate Level
11. Difference between sanitization and validation?
👉
- Validation → Check if data is correct
- Sanitization → Clean the data
12. What is session hijacking?
👉 Attacker steals session ID to impersonate user.
13. How to prevent session hijacking?
👉
- Use HTTPS
- Regenerate session ID
- Set secure cookies
14. What are secure cookies?
👉 Cookies with:
session_set_cookie_params([
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
]);15. What is SameSite cookie attribute?
👉 Prevents CSRF by restricting cross-site cookie sending.
16. What is clickjacking?
👉 Attacker tricks user into clicking hidden elements.
17. How to prevent clickjacking?
header("X-Frame-Options: SAMEORIGIN");
18. What is Content Security Policy (CSP)?
👉 A security layer to prevent XSS by controlling resources.
19. What is file upload vulnerability?
👉 Uploading malicious files (like .php) to server.
20. How to secure file uploads?
👉
- Validate file type
- Rename file
- Store outside public folder
🔴 Advanced Level
21. What is prepared statement internally?
👉 SQL query compiled first, then parameters safely bound → prevents injection.
22. What is output escaping vs input filtering?
👉
- Input filtering → Clean data before saving
- Output escaping → Secure display
23. What is the difference between htmlentities() and htmlspecialchars()?
👉
htmlspecialchars()→ Converts basic charactershtmlentities()→ Converts all HTML entities
24. What is timing attack in password comparison?
👉 Attacker measures response time to guess password.
👉 Prevent using:
hash_equals()
25. What is CORS and is it a security feature?
👉 Cross-Origin Resource Sharing
❗ Not a security feature, just controlled access mechanism
26. What is rate limiting?
👉 Limiting number of requests per user/IP to prevent abuse.
27. How to secure APIs in PHP?
👉
- API keys / tokens
- JWT authentication
- Rate limiting
- HTTPS
28. What is JWT?
👉 JSON Web Token used for secure authentication.
29. What are common PHP security best practices?
👉
- Disable
display_errors - Use HTTPS
- Keep PHP updated
- Validate all inputs
- Use least privilege DB access
30. What is OWASP?
👉 Organization that lists top web security risks (OWASP Top 10)
💡 Pro Interview Tips
👉 Always mention:
- Prepared Statements
- CSRF Token
- XSS Prevention
- Password Hashing
👉 Real-world example = BIG PLUS ⭐
