Security is a set of habits, not a single library. PHP apps face the same threats as any web stack—prioritize the OWASP Top 10 basics.
Core defenses
- SQL injection — prepared statements always for user data
- XSS — escape on output (
htmlspecialchars), Content-Security-Policy headers - CSRF — tokens on state-changing forms; SameSite cookies help
- Session fixation/hijacking — regenerate session ID on login; HttpOnly + Secure cookies
- Password storage —
password_hash/password_verify, never plain text or MD5
Password hashing
$hash = password_hash($password, PASSWORD_DEFAULT);
password_verify($password, $hash);Secrets and config
Keep API keys and DB passwords in environment variables ($_ENV, getenv)—not in Git. Frameworks wrap this in .env files excluded from version control.
Important interview questions and answers
- Q: XSS vs SQL injection?
A: XSS executes malicious scripts in victims' browsers; SQL injection manipulates database queries—fix with escaping/CSP vs prepared statements. - Q: Why bcrypt/argon2 via password_hash?
A: Adaptive cost slows brute force; salts are handled automatically. - Q: Defense in depth?
A: Layer validation, escaping, headers, least privilege DB users, and monitoring—no single fix is enough.
Self-check
- Where do you escape—on input or output?
- Why regenerate session ID after login?
Pitfall: Escape on output with context-aware functions—HTML, JSON, and URL encoding differ.
Interview prep
- How to store passwords?
password_hashwithPASSWORD_DEFAULT(bcrypt/argon2) and verify withpassword_verify—never MD5 or plain text.