MCQs On Class 28: PHP Security Practices
Multiple Choice Questions on PHP Security Practices
1. Which of the following is a common vulnerability in PHP applications?
o A) SQL Injection
o B) XSS
o C) CSRF
o D) All of the above
Answer: D
2. What does SQL Injection exploit?
o A) Weak passwords
o B) Poorly constructed SQL queries
o C) Unvalidated input
o D) Both B and C
Answer: D
3. What is the purpose of input validation?
o A) To improve performance
o B) To prevent unauthorized access
o C) To ensure only expected data types are processed
o D) To speed up database queries
Answer: C
4. Which function is commonly used to sanitize user input in PHP?
o A) htmlspecialchars()
o B) str_replace()
o C) trim()
o D) intval()
Answer: A
5. What is Cross-Site Scripting (XSS)?
o A) An attack that targets databases
o B) An attack that allows an attacker to execute scripts in the user's browser
o C) An attack on web servers
o D) None of the above
Answer: B
6. How can you prevent CSRF attacks?
o A) Use HTTPS
o B) Validate user sessions
o C) Use CSRF tokens in forms
o D) All of the above
Answer: C
7. Which of the following is NOT a method to prevent SQL Injection?
o A) Prepared statements
o B) Escaping user inputs
o C) Input validation
o D) Using eval() function
Answer: D
8. What is the purpose of the htmlspecialchars() function?
o A) To encrypt data
o B) To escape HTML characters to prevent XSS
o C) To sanitize SQL inputs
o D) To format strings
Answer: B
9. What type of attack involves intercepting and altering communication between the user and server?
o A) Phishing
o B) Man-in-the-middle attack
o C) SQL Injection
o D) XSS
Answer: B
10. Which of the following is a secure way to handle passwords in PHP?
o A) Storing them in plain text
o B) Using MD5 hashing
o C) Using bcrypt for hashing
o D) Using base64 encoding
Answer: C
11. What does HTTPS stand for?
o A) Hyper Text Transfer Protocol Secure
o B) Hyper Text Transfer Protocol Standard
o C) Hypertext Transmission Protocol Secure
o D) Hypertext Transfer Protocol Shield
Answer: A
12. What does CSRF stand for?
o A) Cross-Site Request Forgery
o B) Cross-Site Resource Function
o C) Client-Side Request Forgery
o D) Cross-Site Resource Framework
Answer: A
13. Which method is commonly used to validate email addresses in PHP?
o A) filter_var()
o B) preg_match()
o C) strpos()
o D) validate_email()
Answer: A
14. What is a common reason for a PHP application to log errors?
o A) To inform users of their actions
o B) To improve performance
o C) To help in debugging and security audits
o D) To display messages to users
Answer: C
15. What is the purpose of the session_start() function?
o A) To start a new PHP process
o B) To initiate a session for tracking user activity
o C) To log errors
o D) To connect to the database
Answer: B
16. Which of the following can help prevent XSS attacks?
o A) Using cookies
o B) Validating URLs
o C) Escaping output using htmlspecialchars()
o D) Enabling error reporting
Answer: C
17. What is the best practice for file uploads in PHP?
o A) Allow all file types
o B) Validate and sanitize file types and sizes
o C) Save uploaded files in the web root
o D) Allow users to upload executable files
Answer: B
18. Which method can be used to encrypt sensitive data in PHP?
o A) md5()
o B) base64_encode()
o C) openssl_encrypt()
o D) sha1()
Answer: C
19. What should you do if your application has sensitive data in URLs?
o A) Leave it as is
o B) Use HTTPS
o C) Encode the data
o D) Both B and C
Answer: D
20. What does the filter_var() function do?
o A) Filters user input for specific characters
o B) Validates and sanitizes data
o C) Filters session data
o D) Both A and B
Answer: B
21. What is a potential consequence of failing to sanitize user inputs?
o A) Faster application performance
o B) Increased user satisfaction
o C) Security vulnerabilities
o D) Reduced server load
Answer: C
22. Which of the following is a common type of session fixation attack?
o A) An attacker steals a session cookie
o B) An attacker hijacks a session by fixing the session ID
o C) An attacker executes malicious scripts
o D) An attacker sends fake emails
Answer: B
23. What does the acronym OWASP stand for?
o A) Open Web Application Security Project
o B) Open Web Application Security Protocol
o C) Online Web Application Security Program
o D) Open Web Application System Protection
Answer: A
24. What is the purpose of an SSL certificate?
o A) To improve website speed
o B) To secure communication between the server and clients
o C) To store user passwords securely
o D) To enable file uploads
Answer: B
25. Which of the following is a safe practice for error handling in PHP?
o A) Displaying detailed error messages to users
o B) Logging errors without exposing sensitive information
o C) Hiding all error messages
o D) Ignoring errors
Answer: B
26. What does the term "input validation" refer to?
o A) Checking if the user is logged in
o B) Verifying that user input matches expected formats and values
o C) Validating output for HTML
o D) All of the above
Answer: B
27. Which of the following functions should you use to generate a random token for CSRF protection?
o A) uniqid()
o B) random_bytes()
o C) rand()
o D) md5()
Answer: B
28. Which PHP extension is commonly used to interact with databases securely?
o A) mysqli
o B) PDO
o C) pgsql
o D) All of the above
Answer: D
29. What is the risk of using eval() in PHP?
o A) It can slow down the application
o B) It can lead to arbitrary code execution if user input is evaluated
o C) It uses too many resources
o D) It is deprecated
Answer: B
30. How can you protect file uploads against path traversal attacks?
o A) Validate file extensions
o B) Sanitize file names
o C) Store files in a directory outside the web root
o D) All of the above
Answer: D
31. What is an effective way to protect sensitive user data in the database?
o A) Use plain text for passwords
o B) Encrypt sensitive data before storing it
o C) Hash passwords using SHA-1
o D) Store user data in session variables
Answer: B
32. What does the strip_tags() function do?
o A) Removes HTML and PHP tags from a string
o B) Strips whitespace from a string
o C) Removes numbers from a string
o D) Validates email addresses
Answer: A
33. Which of the following methods can be used to ensure secure session management?
o A) Regenerate session IDs on login
o B) Use long session timeouts
o C) Allow session IDs in URLs
o D) All of the above
Answer: A
34. What is the purpose of a Content Security Policy (CSP)?
o A) To speed up website loading
o B) To restrict resources that can be loaded by the browser
o C) To improve search engine optimization
o D) To enhance user experience
Answer: B
35. What is the use of mysqli_real_escape_string()?
o A) To escape special characters in a string for use in an SQL statement
o B) To hash passwords
o C) To validate email addresses
o D) To remove HTML tags from a string
Answer: A
36. Which HTTP method is commonly used to send data securely?
o A) GET
o B) POST
o C) PUT
o D) DELETE
Answer: B
37. What is the purpose of session_regenerate_id()?
o A) To delete an existing session
o B) To create a new session
o C) To prevent session fixation attacks
o D) To log out a user
Answer: C
38. Which of the following can be used to prevent directory listing on a web server?
o A) Using the .htaccess file
o B) Disabling directory listing in server configuration
o C) Removing index files
o D) Both A and B
Answer: D
39. Which of the following is a safe way to store user passwords?
o A) Plain text
o B) MD5 hash
o C) bcrypt hash
o D) SHA-256 hash
Answer: C
40. What is the main purpose of an application firewall?
o A) To protect the server from DDoS attacks
o B) To filter incoming traffic to web applications
o C) To manage user sessions
o D) To improve website performance
Answer: B
41. What is a common practice to secure cookies?
o A) Using secure and HttpOnly flags
o B) Storing sensitive data in cookies
o C) Using long expiration times
o D) Allowing access from any domain
Answer: A
42. What does the parse_url() function do?
o A) Parses a URL and returns its components
o B) Validates a URL
o C) Encodes a URL
o D) Both A and B
Answer: A
43. What is the benefit of using prepared statements in SQL queries?
o A) They improve performance
o B) They prevent SQL Injection attacks
o C) They are easier to read
o D) They reduce server load
Answer: B
44. How should sensitive information be handled in logs?
o A) Log everything without filtering
o B) Remove sensitive information before logging
o C) Use plain text for logs
o D) Log user passwords
Answer: B
45. Which of the following is an example of a secure password policy?
o A) Minimum length of 6 characters
o B) Allowing easily guessable passwords
o C) Requiring special characters and numbers
o D) No password expiration
Answer: C
46. What is the purpose of Cross-Origin Resource Sharing (CORS)?
o A) To improve server performance
o B) To allow secure cross-origin requests
o C) To prevent data from being sent to external sites
o D) To cache resources
Answer: B
47. Which of the following is a good practice for securing PHP applications?
o A) Disabling error reporting in production
o B) Using the same credentials for different services
o C) Allowing file uploads without restrictions
o D) None of the above
Answer: A
48. What does the term "session hijacking" refer to?
o A) A legitimate user accessing their session
o B) An attacker stealing a user's session ID
o C) A user resetting their session
o D) A user creating a new session
Answer: B
49. Which PHP function is used to create a cookie?
o A) setcookie()
o B) create_cookie()
o C) cookie_create()
o D) add_cookie()
Answer: A
50. What is a web application vulnerability scanner?
o A) A tool to improve website performance
o B) A tool to identify security vulnerabilities in web applications
o C) A tool to monitor website traffic
o D) A tool to manage user sessions
Answer: B
51. Which of the following is an indication of a weak password?
o A) A mix of uppercase and lowercase letters
o B) A combination of letters, numbers, and symbols
o C) A common word or phrase
o D) A password longer than 12 characters
Answer: C
52. What is the purpose of the password_hash() function?
o A) To encrypt passwords
o B) To hash passwords securely
o C) To decode passwords
o D) To validate passwords
Answer: B
53. What does the term "zero-day vulnerability" mean?
o A) A vulnerability that has been publicly disclosed
o B) A vulnerability with no available fix
o C) A vulnerability found in outdated software
o D) A vulnerability that is easily exploitable
Answer: B
54. Which PHP function can be used to encrypt data using AES?
o A) openssl_encrypt()
o B) mcrypt_encrypt()
o C) hash()
o D) base64_encode()
Answer: A
55. What is a common method of preventing Denial-of-Service (DoS) attacks?
o A) Allowing all traffic through the firewall
o B) Rate limiting and IP filtering
o C) Using weak passwords
o D) Disabling server logs
Answer: B
56. Which of the following is an example of good database security practice?
o A) Using default database credentials
o B) Granting all privileges to all users
o C) Implementing least privilege access
o D) Allowing remote access without restrictions
Answer: C
57. What does "data encryption at rest" refer to?
o A) Encrypting data during transmission
o B) Encrypting data stored on disk
o C) Encrypting cookies
o D) Encrypting passwords
Answer: B
58. What is a botnet?
o A) A network of compromised devices used for malicious purposes
o B) A tool for website optimization
o C) A database of known vulnerabilities
o D) A firewall configuration
Answer: A
59. How can you ensure secure sessions in a PHP application?
o A) Use the same session ID for multiple sessions
o B) Set the session cookie to secure and HttpOnly
o C) Keep sessions active indefinitely
o D) Store session data in plain text
Answer: B
60. Which of the following is a method to prevent brute-force attacks?
o A) Allow unlimited login attempts
o B) Use CAPTCHA or lockout mechanisms
o C) Use weak passwords
o D) Log all failed attempts without limits
Answer: B
61. What is the use of the session_destroy() function?
o A) To create a new session
o B) To delete session data from the server
o C) To log out a user
o D) Both B and C
Answer: D
62. What does the term "data in transit" refer to?
o A) Data stored in a database
o B) Data being transferred over a network
o C) Data stored on a local drive
o D) Data archived for backup
Answer: B
63. Which of the following is a secure practice when using APIs?
o A) Exposing sensitive data in API responses
o B) Implementing authentication and authorization
o C) Using unencrypted connections
o D) Allowing open access to all endpoints
Answer: B
64. What is a keylogger?
o A) A tool for monitoring server performance
o B) A malicious program that records keystrokes
o C) A secure method for password storage
o D) A network monitoring tool
Answer: B
65. What is the purpose of rate limiting?
o A) To speed up server response time
o B) To limit the number of requests a user can make
o C) To allow unlimited access to resources
o D) To optimize database queries
Answer: B
66. Which of the following is NOT a characteristic of secure coding?
o A) Using hard-coded secrets
o B) Validating user input
o C) Implementing error handling
o D) Regularly updating dependencies
Answer: A
67. How can you protect against SQL injection?
o A) Using prepared statements
o B) Input validation
o C) Escaping user inputs
o D) All of the above
Answer: D
68. What is the purpose of using a web application firewall (WAF)?
o A) To improve website load times
o B) To protect against application-layer attacks
o C) To manage user sessions
o D) To monitor traffic patterns
Answer: B
69. What does HTTPS stand for?
o A) Hyper Text Transfer Protocol Secure
o B) High Transfer Protocol Security
o C) Hyper Text Transmission Protocol Secure
o D) High Text Transfer Protocol Secure
Answer: A
70. What is a common way to handle sensitive data in memory?
o A) Storing in plaintext
o B) Using secure memory management techniques
o C) Keeping in environment variables
o D) All of the above
Answer: B
71. What does the httpOnly flag do for cookies?
o A) Allows JavaScript to access the cookie
o B) Prevents JavaScript from accessing the cookie
o C) Encrypts the cookie
o D) Sets the cookie to expire after one hour
Answer: B
72. What is the role of encryption in data security?
o A) To speed up data access
o B) To protect data from unauthorized access
o C) To enhance user experience
o D) To reduce data storage needs
Answer: B
73. What is an SQL injection attack?
o A) A method to speed up database queries
o B) An attack that allows attackers to execute arbitrary SQL code
o C) A technique to optimize SQL statements
o D) A method for securing database connections
Answer: B
74. Which of the following should be avoided to ensure secure coding practices?
o A) Input validation
o B) Error handling
o C) Storing secrets in source code
o D) Using strong authentication methods
Answer: C
75. What is the purpose of a security audit?
o A) To improve website design
o B) To assess security vulnerabilities and compliance
o C) To optimize website performance
o D) To enhance user engagement
Answer: B
76. What does a DDoS attack do?
o A) Enhances website speed
o B) Overwhelms a service with traffic
o C) Secures a web application
o D) Monitors user activity
Answer: B
77. What does the csrf_token do in web applications?
o A) Validates user sessions
o B) Prevents cross-site request forgery
o C) Encrypts sensitive data
o D) Generates unique user identifiers
Answer: B
78. Which is a recommended practice for securing API endpoints?
o A) Exposing all endpoints without restrictions
o B) Implementing API rate limiting
o C) Using basic authentication without SSL
o D) Allowing anonymous access to all endpoints
Answer: B
79. What is the purpose of the filter_var() function in PHP?
o A) To filter user inputs based on specified criteria
o B) To validate JSON data
o C) To encode URLs
o D) To create secure sessions
Answer: A
80. What does the term "phishing" refer to?
o A) A technique for improving website performance
o B) An attempt to obtain sensitive information by masquerading as a trustworthy entity
o C) A method for encrypting data
o D) A way to monitor server health
Answer: B
81. Which of the following is a method for securing sensitive data in transit?
o A) Using unencrypted connections
o B) Implementing SSL/TLS
o C) Storing data in plaintext
o D) Using weak passwords
Answer: B
82. What is a common reason for implementing two-factor authentication (2FA)?
o A) To allow users to reset their passwords easily
o B) To enhance security by requiring a second form of verification
o C) To simplify the login process
o D) To eliminate the need for passwords
Answer: B
83. Which of the following is an indication that a web application might be vulnerable?
o A) Error messages revealing sensitive information
o B) Regular software updates
o C) Secure coding practices
o D) User feedback mechanisms
Answer: A
84. What does the curl function do in PHP?
o A) Manages database connections
o B) Sends HTTP requests and receives responses
o C) Creates user sessions
o D) Encrypts data
Answer: B
85. What is a common method to detect SQL injection attacks?
o A) Regular expressions
o B) Monitoring for unusual database queries
o C) Input validation
o D) All of the above
Answer: D
86. Which of the following is a benefit of using HTTPS?
o A) It improves website load times
o B) It encrypts data in transit
o C) It prevents all types of attacks
o D) It eliminates the need for authentication
Answer: B
87. What does the http_response_code() function do?
o A) Sends an HTTP response with a specified status code
o B) Sets a cookie for the response
o C) Creates a new session
o D) Redirects the user to a different URL
Answer: A
88. What is the purpose of code reviews in secure coding practices?
o A) To optimize performance
o B) To identify security vulnerabilities and improve code quality
o C) To enhance user experience
o D) To reduce development time
Answer: B
89. Which of the following can be a sign of a compromised account?
o A) Unusual login times
o B) Regular password updates
o C) Successful login notifications
o D) Consistent usage patterns
Answer: A
90. What does the strip_tags() function do in PHP?
o A) Removes HTML and PHP tags from a string
o B) Encrypts a string
o C) Validates user input
o D) Creates user sessions
Answer: A
91. What is a security policy?
o A) A document that outlines security procedures and practices
o B) A set of coding standards
o C) A framework for software development
o D) A guideline for user interface design
Answer: A
92. What is the purpose of data masking?
o A) To encrypt data in transit
o B) To hide sensitive information from unauthorized users
o C) To enhance data retrieval speed
o D) To improve data integrity
Answer: B
93. Which of the following is an example of a social engineering attack?
o A) SQL injection
o B) Phishing
o C) Cross-site scripting
o D) Denial of Service
Answer: B
94. What is the use of the getimagesize() function in PHP?
o A) To retrieve the size of an image file
o B) To optimize images for web use
o C) To create image thumbnails
o D) To upload images to a server
Answer: A
95. What is the purpose of security headers in web applications?
o A) To improve SEO
o B) To enhance security by controlling how browsers handle content
o C) To optimize website performance
o D) To monitor user behavior
Answer: B
96. What does a secure coding standard aim to achieve?
o A) To enhance user experience
o B) To prevent security vulnerabilities in code
o C) To improve performance metrics
o D) To reduce development costs
Answer: B
97. What is the purpose of a honeypot in cybersecurity?
o A) To improve system performance
o B) To lure attackers and gather intelligence
o C) To encrypt sensitive data
o D) To manage user accounts
Answer: B
98. What is the primary goal of threat modeling?
o A) To improve software usability
o B) To identify and mitigate potential security threats
o C) To enhance system performance
o D) To develop new features
Answer: B
99. What is the function of the json_encode() function in PHP?
o A) To encode data in JSON format
o B) To decode JSON data
o C) To validate JSON syntax
o D) To create secure sessions
Answer: A
100. What is the role of a security incident response team (SIRT)? - A) To manage user support issues - B) To respond to security incidents and breaches - C) To develop new software features - D) To monitor network performance
Answer: B
This set of 100 multiple-choice questions covers various topics related to security in PHP and web applications, including secure coding practices, vulnerabilities, and security measures.
4o mini
You’ve hit the Free plan limit for GPT-4o.
Responses will use another model until your limit resets after 12:16 PM.
Get Plus
ChatGPT can make mistakes. Check important info.
?