Security terms
Defending code from the threats that never sleep
Security vulnerabilities do not announce themselves — they wait quietly in code that looks perfectly fine on the surface. This category covers attack vectors, defensive techniques, secure coding practices, and the mental models that help you think like an attacker before one finds you. From SQL injection and XSS to authentication flaws and cryptographic pitfalls, understanding these terms is not optional — it is professional responsibility.
Timing Attacks
Side-channel attacks that infer secret values by measuring how long an operation takes — a string comparison that short-circuits on the first mismatch leaks information about the secret one character at a time.
CWE-208
4w ago
security advanced
Type Coercion in Authentication Checks PHP 4.0+
PHP's loose comparison (==) coerces types — '0e123' == '0e456' (both 0 in scientific notation), and 0 == 'admin' — always use === for authentication comparisons.
2mo ago
security advanced
Threat Intelligence
Evidence-based knowledge about attackers, their TTPs, and indicators of compromise — used to prioritise and inform defensive decisions.
2mo ago
security intermediate
Timing Attack PHP 5.6+
Measuring how long a comparison takes reveals information about secret values — use hash_equals() to prevent it.
CWE-208 OWASP A2:2021
2mo ago
security advanced
5.9
Two-Factor Authentication (2FA) PHP 7.0+ Requiring a second verification factor (OTP, hardware key) in addition to a password dramatically reduces account takeover risk.
OWASP A7:2021
2mo ago
security beginner
Type Juggling PHP 5.0+
PHP's loose comparison (==) can produce unexpected results — "0e123" == "0e456" is true, enabling auth bypasses.
CWE-704 OWASP A3:2021
2mo ago
security intermediate
8.1