Tag: security
HTTP Cookies in PHP PHP 7.3+
Cookies are small key-value pairs sent by the server via Set-Cookie and echoed back by the browser on every request — PHP sets them with setcookie() before any output, with Secure, HttpOnly, and SameSite flags controlling safety.
1mo ago
php beginner
Linux File Permissions
Read, write, and execute permissions assigned to owner, group, and others — the foundation of Linux access control for web application files.
CWE-732 OWASP A5:2021
2mo ago
linux beginner
7.5
PDO query() vs prepare() PHP 5.1+
PDO query() executes raw SQL immediately — prepare() parameterises it. query() must never include user-controlled values.
CWE-89 OWASP A3:2021
2mo ago
php beginner
9.8
File Permissions PHP 4.0+
Unix permission bits (owner/group/world read-write-execute) that control which processes can read, write, or execute files — misconfigured permissions are a common PHP deployment and security issue.
2mo ago
php beginner
HTTPS & TLS
HTTP over TLS — encrypts all traffic between browser and server, preventing eavesdropping, man-in-the-middle attacks, and tampering. Required for cookies, modern APIs, and all production web applications.
2mo ago
security beginner
password_hash() — Native Bcrypt (PHP 5.5) PHP 5.5+
PHP 5.5 added password_hash() and password_verify() — the only correct way to hash and verify passwords. Never use MD5, SHA1, or unsalted hashes.
2mo ago
php beginner
PHP Sessions PHP 4.0+
Server-side state storage identified by a cookie-based session ID — PHP's built-in mechanism for persisting data across HTTP requests, with security implications for how the session is started, stored, and terminated.
2mo ago
php beginner
PHP End-of-Life Schedule & Security Implications PHP 5.0+
Each PHP minor version receives active support for 2 years and security-only fixes for 1 more year — running an EOL PHP version means no patches for discovered vulnerabilities.
2mo ago
php beginner
Hardcoded Credentials PHP 5.0+
Passwords, API keys, or tokens written directly into source code — permanently exposed to anyone with repository access and impossible to rotate without a code change.
2mo ago
security beginner
Weak Password Hash PHP 5.5+
Using MD5, SHA-1, or SHA-256 to hash passwords — fast algorithms designed for data integrity, not authentication, crackable in seconds with a GPU.
2mo ago
security beginner
Allowlist vs Blocklist PHP 5.0+ Allowlists define what is permitted; blocklists define what is forbidden. Allowlists are always more secure.
2mo ago
general beginner
basename() PHP 5.0+
Returns only the filename component of a path, stripping any directory prefix — a simple path traversal defence.
2mo ago
php beginner
Browser Storage APIs HTML5
localStorage, sessionStorage, IndexedDB, and cookies — different scopes, capacities, and access patterns for client-side data persistence.
2mo ago
frontend beginner
Bug Bounty Programme
A programme offering financial rewards to security researchers who responsibly disclose vulnerabilities in a vendor's systems.
2mo ago
general beginner
extract() — Dangerous Variable Injection PHP 4.0+
extract() creates local variables from an array, allowing attackers to overwrite existing variables if input is unsanitised.
CWE-621 OWASP A3:2021
2mo ago
php beginner
9.8
filter_var() PHP 5.2+
PHP's built-in input validation and sanitisation function supporting email, URL, IP, int, and float validators.
2mo ago
php beginner
htmlspecialchars() PHP 5.0+
Converts HTML special characters to entities — the primary defence against XSS in HTML output contexts.
2mo ago
php beginner
password_hash() PHP 5.5+
PHP's built-in function for securely hashing passwords using bcrypt or Argon2 with automatic salting.
2mo ago
php beginner
password_verify() PHP 5.5+
Checks a plaintext password against a bcrypt/Argon2 hash produced by password_hash() — the correct way to validate passwords.
2mo ago
php beginner
PHP Session PHP 5.0+ Server-side storage keyed by a session ID cookie — the correct place to store authorisation state.
2mo ago
php beginner