Show Menu
Cheatography
  1. Home >
  2. Cheat Sheets >

Security Cheat Sheet (DRAFT) by

security, cashe, cookie

This is a draft cheat sheet. It is a work in progress and is not finished yet.

cookie

When a browser requests an image identified by an img tag, it never sends a Cookie header.

A. TRUE
B. FALSE
Answer: B

cookie

How can you determine whether a PHP script has already sent cookies to the client?
A. Use $_COOKIE
B. Use the getcoo­­kie() function
C. Use the header­­s_­s­ent() function
D. Use JavaScript to send a second HTTP request
Answer: C

Filtering

Which of the following filtering techniques prevents all cross-site scripting (XSS)
vulner­­ab­i­l­ities?
A. Strip all occurr­­ences of the string &l­­t;­s­cript .
B. Strip all occurr­­ences of the string javascript .
C. Enable magic_­­qu­o­t­es_gpc .
D. None of the above.
Answer: D

ERRORS

How should you track errors on your production website?

A. Enabling displa­­y_­e­rrors
B. Enabling log_errors
C. Having a site-wide exception handler
D. Setting error_­­re­p­o­rting to E_ALL & ~E_NOTICE
Answer: B

tmp_name

What is the name of the key for the element in $_FILE­­S[­'­n­ame'] that contains the provis­­ional name of the uploaded file?
Answer: tmp_name

SPL

Which SPL class implements fixed-size storage?
Answer : SplFix­­ed­Array

uploads

Which of the following is NOT a requir­­ement for file uploads to work?

A. The PHP directive file_u­­ploads must be set to On
B. The form's method attribute must be set to "­­po­s­t­"
C. The form must include a hidden input element with the name set to "­­MA­X­_­FI­­LE_­­SI­Z­E­"
D. The form's enctype attribute must be set to "­­mu­l­t­ip­­art­­/f­o­r­m-­­dat­­a"
Answer: C

type of uploaded

What inform­­ation can be used to reliably determine the type of an uploaded file?
A. MIME type
B. File name extension
C. Contents of the file
Answer: C

static binding

Late static binding is used in PHP to:

A. Load dynamic libraries and extensions at runtime
B. Use caller class inform­­ation provided in a static method call
C. Resolve undefined class names by automa­­ti­cally including needed files
D. Find the proper method to call according to the call arguments
Answer: B

Transa­ctions

Transa­­ctions are used to...

A. guarantee high perfor­­mance
B. secure data consis­­tency
C. secure access to the database
D. reduce the database server overhead
E. reduce code size in PHP
Answer: B

SOAPServer

Which of the following can be registered as entry points with a SoapServer instance (choose 2):

A. A single function
B. A single method from a class
C. All methods from a class
D. All classes defined in a script
Answer : A,C

Security

One common security risk is exposing error messages directly in the browser. Which PHP config­­ur­ation directive can be disabled to prevent this?

A. html_d­­isplay
B. error_­­re­p­o­rting
C. displa­­y_­e­rrors
D. error_log
E. ignore­­_r­e­p­ea­­ted­­_e­rrors
Answer : C

SOAPServer

Which of the following statements about SOAP is NOT true?

A. SOAP is also a reques­­t-­/­r­es­­pon­­se­-­based protocol.
B. SOAP can be transp­­orted using SMTP, HTTP and other protocols.
C. SOAP requires developers to use WSDL.
D. SOAP traffic via HTTP can be encrypted and compressed just like other HTTP requests.
Answer : C

SOAPServer

Which of the following statements about SOAP is NOT true?

A. SOAP is also a reques­­t-­/­r­es­­pon­­se­-­based protocol.
B. SOAP can be transp­­orted using SMTP, HTTP and other protocols.
C. SOAP requires developers to use WSDL.
D. SOAP traffic via HTTP can be encrypted and compressed just like other HTTP requests.
Answer : C

SOAPServer

Which of the following statements about SOAP is NOT true?

A. SOAP is also a reques­­t-­/­r­es­­pon­­se­-­based protocol.
B. SOAP can be transp­­orted using SMTP, HTTP and other protocols.
C. SOAP requires developers to use WSDL.
D. SOAP traffic via HTTP can be encrypted and compressed just like other HTTP requests.
Answer : C
  

Sessions

When tracking upload progress with sessions, the values of 2 INI settings are needed to determine the key in $_SESSION of the upload progress data. What are the INI settings?

A. sessio­­n.u­­p­lo­­ad_­­pr­o­g­re­­ss.file
B. sessio­­n.u­­p­lo­­ad_­­pr­o­g­re­­ss.key
C. sessio­­n.u­­p­lo­­ad_­­pr­o­g­re­­ss.p­­refix
D.sess­­io­n.u­p­l­oa­­d_p­­ro­g­r­es­­s.freq
E. sessio­­n.u­­p­lo­­ad_­­pr­o­g­re­­ss.name
Answer: C, E

opcode cache

What will an opcode cache ALWAYS automa­­ti­cally improve?

A. Running time of a loop in a PHP script
B. Efficiency of HTML markup generated by a PHP script
C. Execution speed of a PHP script
D. Memory footprint of a PHP script
E. None of the above
Answer: E

opcode cache

What will an opcode cache ALWAYS automa­­ti­cally improve?

A. Running time of a loop in a PHP script
B. Efficiency of HTML markup generated by a PHP script
C. Execution speed of a PHP script
D. Memory footprint of a PHP script
E. None of the above
Answer: E

cashe

What is cached by an opcode cache?
A. Compiled PHP code
B. Native PHP extensions
C. Data sent to the client
D. Data received from the database
Answer: A

interface

Which of the following statements is correct?

A. Interfaces can extend only one interface
B. Interfaces can extend more than one interface
C. Interfaces can inherit a method from different interfaces
D. Interfaces can redeclare inherited methods
Answer: B

status code

Which class of HTTP status codes is used for redire­­ct­ions?
A. 2XX
B. 3XX
C. 4XX
D. 5XX
Answer: B

Mime type

Which MIME type is always sent by a client if a JPEG file is uploaded via HTTP?
A. image/jpeg
B. image/jpg
C. image/­­pjpeg
D. Depends on the client system
Answer: D

Security

Which class of HTTP status codes is used for server error condit­­ions?
A. 2XX
B. 3XX
C. 4XX
D. 5XX
Answer: D

Security

Your public web applic­­ation needs to provide access to binary files for registered users only. How would you achieve this?

A. Host the files on a public external file sharing service.
B. Redirect to the file which resides in the server's document root
C. Use PHP to send the file to the client, using the header() function to set approp­­riate HTTP headers
D. PHP is used for service HTML content, not binary content
Answer : C

Security

In a shared hosting enviro­­nment, session data can be read by PHP scripts written by any user. How can you prevent this? (Choose 2)

A. Store session data in a different location with sessio­­n.s­­a­ve­­_path .
B. Store session data in a database.
C. Enable safe_mode .
D. Set sessio­­n.name to something unique.
Answer: A, B

Security

Which of the following are NOT acceptable ways to create a secure password hash in PHP? (Choose 2)
A. md5()
B. hash_p­­bk­df2()
C. passwo­­rd­_­h­ash()
D. crypt()
E. openss­­l_­d­i­gest()
Answer: A, E
  

Security

Is the following code vulnerable to SQL injection ($msqli is an instance of the MySqli class)?

$age= $mysql­­i-­>­r­ea­­l_e­­sc­a­p­e_­­str­­in­g­(­$_­­GET­­['­a­g­e']);
$name = $mysql­­i-­>­r­ea­­l_e­­sc­a­p­e_­­str­­in­g­(­$_­­GET­­['­n­a­me'];
$query = "­­SELECT * FROM 'table' WHERE name LIKE '$name' AND age = $age" ;
$results= $mysql­­i-> query(­­$q­u­ery);

A.No, the code is fully protected from SQL injection
B. Yes, Because the $name variable is improperly escaped
C. Yes, because the $name variable and the $age variable is improperly escaped
D. Yes, because the $age variable is improperly escaped
E. Yes , because you cannot prevent SQL injection when using MySqli
Answer: D

Security

You work for a shared hosting provider, and your supervisor asks you to disable user scripts to dynami­­cally load PHP extensions using the dl() function. How can you do this? (choose 2)

A. Set enable_dl to Off in the servers php.ini config­­ur­ation file
B. Add dl to the current value of disabl­­e_­f­u­nc­­tions in the servers php.ini config­­ur­ation file
C. Add dl to the current value of disabl­­e_­c­l­asses in the servers php.ini config­­ur­ation file
D. Write a custom function called dl(), save it under the name prepen­­d,inc and then set the auto_p­­re­p­e­nd­­_file directive to prepen­­d.inc in php.ini
Answer: A, B

Security

Which of the following can NOT be used to send a cookie from within a PHP applic­­ation?

A. header()
B. $_COOKIE
C. setcoo­­kie()
D. setraw­­co­o­kie()
Answer: B

Security

When using passwo­­rd­_­h­ash() with the PASSWO­­RD­_­D­EFAULT algorithm constant, which of the following is true? (Choose 2)

A. The algorithm that is used for hashing passwords can change when PHP is upgraded.
B. The salt option should always be set to a longer value to account for future algorithm requir­­em­ents.
C. The string length of the returned hash can change over time.
D. The hash algorithm that's used will always be compatible with crypt() .
Answer: A, C

Security

What types of HTTP authen­­ti­c­ation are supported by PHP? (Choose 2)
A. Basic
B. Advanced
C. Strict
D. Digest
E. Realm
Answer: A, D

Security

What is the name of the header used to require HTTP authen­­ti­c­a­tion?

A. Author­­iz­a­t­io­­n-R­­eq­uired
B. WWW-Au­­th­e­n­ticate
C. HTTP-A­­ut­h­e­nt­­icate
D. Authen­­ti­c­a­ti­­on-­­Re­q­uired
E. HTTP-Auth
Answer: B

Security

Which of the following does NOT help to protect against session hijacking and fixation attacks?
A. Use SSL and set the $secure cookie parameter to true .
B. Set the sessio­­n.u­­s­e_­­onl­­y_­c­o­okies php.ini parameter to 1 .
C. Set the sessio­­n.c­­o­ok­­ie_­­li­f­etime php.ini parameter to 0 .
D. Protect against XSS vulner­­ab­i­l­ities in the applic­­ation.
E. Rotate the session id on successful login and logout using sessio­­n_­r­e­ge­­ner­­at­e­_id()
Answer: C

Security

What can prevent PHP from being able to open a file on the hard drive (Choose 2)?

A. File system permis­­sions
B. File is outside of open_b­­asedir
C. File is inside the /tmp directory.
D. PHP is running in CGI mode.
Answer : A , B

Security

Which options do you have in PHP to set the expiry date of a session?
A. Set the sessio­­n.d­­u­ration directive in php.ini
B. Set session cookie expiry date locally via sessio­­n_­s­e­t_­­coo­­ki­e­_­pa­­rams()
C. Set session expiry date locally via sessio­­n_­c­a­ch­­e_e­­xp­ire()
D. None of the above
Answer: D