This post covers the Secure Socket Layer section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
Secure Socket Layer (SSL) encryption protects data as it is transmitted between client and server.
SSL allows sensitive information such as login credentials to be transmitted securely without being sent in plain text which …
This post covers the File Uploads section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
File uploads made via the $_FILES superglobal is filled with user-supplied data and therefore can pose a security risk as the user-supplied data can never be trusted.
The first security risk is that file names …
This post covers the Password Hashing section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
It is common knowledge that you should never store passwords in plain text. This leads onto discussions about what is the best form of password hashing making them difficult to crack.
PHP hashing algorithms such …
This post covers the Escape Output section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
One of the fundamentals rules of security in any programming language is escaping output. Consider the following script that is vulnerable to a Cross-Site Scripting (XSS) attack.
<?php
$name = $_GET[‘name’];
echo “Hi …
This post covers the Input Filtering section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
Validating user input within any programming language is a fundamental security feature that prevents applications from being vulnerable to attacks such as SQL and remote code injection.
‘Invalid Encoding’ attacks can be caused by an …
This post covers the Email Injection section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
PHP contains functions and classes that assist with sending mail, and as a result, some security measures should be taken to prevent injection of spam-related content into the email.
When sending an email using the …
This post covers the Remote Code Injection section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
Remote code injection, also known as remote file inclusion attacks, run malicious code created by an attacker on a given server. This is often done by exploiting the functionality of PHP’s include() and require() …
This post covers the SQL Injection section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
SQL Injection is a type of attack where an attacker creates or alters existing SQL commands to expose, override data or execute dangerous commands against the host. It can be as simple as adding malicious …
This post covers the Cross-Site Request Forgery section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
Cross-Site Request Forgery (CSRF) is a type of attack that causes a malicious action to a website from a user’s browser that is running a valid session.
The attack happens when fake forms or …
This post covers the Cross-Site Scripting section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
Cross Site Scripting (XSS) is one of the most common form of security attacks that happen on the Internet.
The attack focuses on injecting code which is made possible by incorrectly validating user data, which …