Programming Languages
PHP
Subjective
Sep 23, 2025
Explain modern PHP security practices for 2025, including input validation, CSRF protection, SQL injection prevention, and secure session management.
Detailed Explanation
Modern PHP Security Practices for 2025:
1. Input Validation & Sanitization:
// Use filter_var with strict validation
function validateEmail(string $email): bool {
return filter_var($email, FILTER_VALIDATE_EMAIL) !== false;
}
// Input sanitization
function sanitizeInput(string $input): string {
return htmlspecialchars(trim($input), ENT_QUOTES, "UTF-8");
}
// Type declarations for strict typing
declare(strict_types=1);
function processUserData(int $userId, string $email): void {
// Type safety enforced at runtime
}2. CSRF Protection:
class CSRFProtection {
public static function generateToken(): string {
if (!isset($_SESSION["csrf_token"])) {
$_SESSION["csrf_token"] = bin2hex(random_bytes(32));
}
return $_SESSION["csrf_token"];
}
public static function validateToken(string $token): bool {
return isset($_SESSION["csrf_token"]) &&
hash_equals($_SESSION["csrf_token"], $token);
}
}3. SQL Injection Prevention:
// Use prepared statements exclusively
class UserRepository {
public function findByEmail(string $email): ?User {
$stmt = $this->pdo->prepare("SELECT * FROM users WHERE email = ? AND status = ?");
$stmt->execute([$email, "active"]);
return $stmt->fetchObject(User::class) ?: null;
}
// For dynamic queries, use query builders
public function findWithFilters(array $filters): array {
$queryBuilder = new QueryBuilder();
return $queryBuilder->select("*")
->from("users")
->where($filters) // Automatically parameterized
->execute();
}
}4. Secure Session Management:
// Secure session configuration
ini_set("session.cookie_httponly", 1);
ini_set("session.cookie_secure", 1);
ini_set("session.cookie_samesite", "Strict");
ini_set("session.use_strict_mode", 1);
ini_set("session.gc_maxlifetime", 3600);
class SecureSession {
public static function start(): void {
session_start();
// Regenerate session ID periodically
if (!isset($_SESSION["last_regeneration"])) {
self::regenerateId();
} elseif (time() - $_SESSION["last_regeneration"] > 300) {
self::regenerateId();
}
}
private static function regenerateId(): void {
session_regenerate_id(true);
$_SESSION["last_regeneration"] = time();
}
}5. Additional Security Measures:
- Content Security Policy: Implement strict CSP headers
- Rate Limiting: Prevent brute force attacks
- Password Hashing: Use password_hash() with strong algorithms
- HTTPS Enforcement: Redirect all traffic to HTTPS
- Security Headers: X-Frame-Options, X-XSS-Protection, etc.
6. Modern Authentication:
// JWT implementation with proper validation
class JWTAuth {
public function createToken(User $user): string {
$payload = [
"sub" => $user->getId(),
"iat" => time(),
"exp" => time() + 3600,
"aud" => "your-app.com"
];
return JWT::encode($payload, $this->secretKey, "HS256");
}
}Discussion (0)
No comments yet. Be the first to share your thoughts!
Share Your Thoughts