Showing posts with label PHP security. Show all posts
Showing posts with label PHP security. Show all posts

Thursday 10 August 2017

PHP Interview Questions and Answer for 3 year experienced

PHP Interview Questions and Answer for 3 year experienced

Question: What is the difference between Unlink And Unset function In PHP?
unlink It is used to delete the file permanent.
unlink("/data/users.csv");
Unset It is used to delete the variable.
unset($newVariable);



Question: What are PHP Traits?
It is a mechanism that allows us to do code reusability the code and its similer as that of PHP class.
trait Goodmorning {

    public function goodmorning() {
        echo "Good Morning Viewer";
    }

}

trait Welcome {

    public function welcome() {
        echo "Welcome Viewer";
    }

}

class Message {

    use Welcome,
        Goodmorning;

    public function sendMessage() {        
        echo $this->welcome();        
        echo $this->goodmorning();
    }

}

$o = new Message;
$o->sendMessage();

Output
Welcome Viewer
Good Morning Viewer 



Question: How to get URL Of The Current Webpage??
Client side, connect with  parameter



Question: What Is Autoloading Classes In PHP? and how it works?
With autoloaders, PHP allows the to load the class or interface before it fails with an error.
spl_autoload_register(function ($classname) {
    include  $classname . '.php';
});
$object  = new Class1();
$object2 = new Class2();



Question: What s The use of ini_set()?
PHP allows the user to modify its settings mentioned in php.ini using ini_set();
For Example
Display error on page
ini_set('display_errors', '1');

Set mysql connection timeout
ini_set('mysql.connect_timeout',100);

Set maximum execution time
ini_set('max_execution_time',100000);

Set post max size
ini_set('post_max_size','30000M');

Set upload max file size
ini_set('upload_max_filesize','64000M');




Question: Which PHP Extension Helps To Debug The Code?
The name of that Extension is Xdebug.
It uses the DBGp debugging protocol for debugging. It is highly configurable and adaptable to a variety of situations.


Question: How can we get the properties of browswer?
$_SERVER['HTTP_USER_AGENT']



Question: How to get/set the session id?
Set the session Id
session_id($sessionId)

Get the session Id
echo session_id()



Question: What is Scrum?
Scrum is an Agile framework for completing complex projects.
Scrum originally was made for software development projects, but it works well for any complex and innovative scope of work.


Question: What are the ways to encrypt the data?
md5() – Calculate the md5 hash of a string.
sha1() – Calculate the sha1 hash of a string.
hash() – Generate a hash value.
crypt() – One-way string hashing.


Question: How to get cookie value?
$_COOKIE ["cookie_name"];



Question: What is use of header?
The header() function is used to send a raw HTTP header to a client. It must be called before sending the actual output.


Question: What is Type juggle in PHP?
Type Juggling means dealing with a variable type. In PHP a variables type is determined by the context in which it is used.
If an integer value assign to variable it become integer.
If an string value assign to variable it become string.
If an object assign to variable it become object.


Question: What will be output of following?
$x = true and false and true;
var_dump($x);


Output
boolean false


Question: What will be output of following?
$text = 'Arun ';
$text[10] = 'Kumar';
echo $text;


Output
Arun K


Question: What is use of header?
header() is used to redirect from one page to another: header("Location: index.php");
header() is used to send an HTTP status code: header("HTTP/1.0 this Not Found");

header() is used to send a raw HTTP header: header('Content-Type: application/json');


Tuesday 6 September 2016

How to add Security in Website?

How to add Security in Website?

Server Signature invisible

Whatever technology you are using PHP, .Net, ASP etc you should not let to know other.

Hide the Server Signature.
Open php.ini file.
expose_php = on
to
expose_php = off

Add Following code in .htaccess
ServerSignature Off



XSS Protection header Enabled

Cross-site scripting (XSS) is a type of computer security vulnerability found in web applications. XSS enables attackers to inject client-side script into webpages.
We can add Protection layer to XSS attack by adding this on header.

Add Following code in .htaccess
Header set X-XSS-Protection "1; mode=block"


Content Security Policy (CSP)

It is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting and data injection attacks.
This header is designed to specify how content interacts with your website.
Add Following code in .htaccess
Header set X-Content-Security-Policy "allow 'self';"



X-Content-Type-Options

 This header prevents "mime" based attacks. Add Following code in .htaccess
Header set X-Content-Type-Options "nosniff"



Protection From libwww-perl

LWP is a Perl modules that give Perl programming easy access to sending requests to the website. We can protect our website from this

Add Following code in .htaccess
RewriteCond %{HTTP_USER_AGENT} libwww-perl.* 
RewriteRule .* ? [F,L]



Always Use Https over http

An extra security layer because of SSL (Encryption, Data Integrity, Authentication )


X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Add Following code in .htaccess
Header set X-Frame-Options SAMEORIGIN


Tuesday 21 June 2016

How to hide web server information from the headers?

How to hide web server information from the headers?

Question: What do you mean by server technology in header?
When an request is sent from client to server.
OR
When an request is sent from one server to another server.
There are lot of information also sent back to client(receiver information).
For Example:
HTTP/1.1 200 OK
Date: Tue, 21 Jun 2016 05:24:34 GMT
Server: Apache/2.2.22 (Win32) PHP/5.4.3
X-Powered-By: PHP/5.4.3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html



Question: What are benefits of hiding server info from header?
An attacker will not get to know which technology you are using in your application.


Question: How to hide the Server technology information from header?
Step 1:
Open php.ini file
change
expose_php = on

to
expose_php = Off

Step 2:
Add Following in your .htacess (root folder)
ServerSignature Off

Step 3 Setup the mod_security with Apache
https://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



Monday 20 June 2016

How to enable the XSS Protection header?

How to enable the  XSS Protection header?

Question: How to enable the XSS Protection header?
Add Following code in your root's .htaccess file

# Set XSS Protection header
Header set X-XSS-Protection "1; mode=block"




Question: What is Cross-site scripting?
Cross-site scripting (XSS) is a type of computer security vulnerability which attack on the site by injection the code in webpage


Question: What benefits of XSS Protection header?
It will protect the your site from XSS Attack


Friday 4 March 2016

AES Encryption and Decryption in PHP See example

AES Encryption and Decryption in PHP See example

Question: What is AES encryption?
Advanced Encryption Standard is a specification for the encryption of data established by the NIST (National Institute of Standards and Technology) in 2001.


Question: What are different key sizes availbles?
  1. 128 bits
  2. 192 bits
  3. 256 bits



Question: How AES encryption works?
AES comprises three block ciphers i.e AES-128, AES-192 and AES-256. Each cipher encrypts and decrypts data in blocks of 128 bits using cryptographic keys of 128-bits, 192-bits and 256-bits, respectively. Secret-key ciphers use the same key for encrypting and decrypting. In this encryption method works three times faster in software than DES.


Question: Write a Function to encrypt/decrypt?
function encrypt_string($string = '', $salt = '8638FD63E6CC16872ACDED6CE49E5A270ECDE1B3B938B590E547138BB7F120EA') {
    $key = pack('H*', $salt);    
    $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $string, MCRYPT_MODE_CBC, $iv);
    return base64_encode($iv . $ciphertext);
}

function decrypt_string($encodedText = '', $salt = '8638FD63E6CC16872ACDED6CE49E5A270ECDE1B3B938B590E547138BB7F120EA') {
    $key = pack('H*', $salt);
    $ciphertext_dec = base64_decode($encodedText);
    $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
    $iv_dec = substr($ciphertext_dec, 0, $iv_size);
    $ciphertext_dec = substr($ciphertext_dec, $iv_size);
    return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $ciphertext_dec, MCRYPT_MODE_CBC, $iv_dec);
}
/** Encoded Decoded with 256 bits * */
$encodedText = encrypt_string('hello');
echo decrypt_string($encodedText);



Question: How to encrypt/decrypt a string using 192 bits?
/** Encoded Decoded with 192 bits * */
$encodedText  = encrypt_string('hello', '8638FD63E6CC16872ACDED6CE49E5A270ECDE1B3B938B590');
echo decrypt_string($encodedText , '8638FD63E6CC16872ACDED6CE49E5A270ECDE1B3B938B590');



Question: How to encrypt/decrypt a string using 128 bits?
/** Encoded Decoded with 128 bits * */
$encodedText  = encrypt_string('hello', '8638FD63E6CC16872ACDED6CE49E5A27');
echo decrypt_string($encodedText , '8638FD63E6CC16872ACDED6CE49E5A27');