Show layered thinking: "I use parameterised queries, encode all output, set CSP headers, run composer audit in CI, and use Argon2id for password hashing."
Key concerns: SQL injection (parameterised queries/ORM), XSS (output encoding, CSP headers), CSRF (tokens), session security (httponly/secure flags, regeneration), file upload validation, password hashing (bcrypt/argon2), and dependency vulnerabilities (composer audit). Strong candidates mention security headers, input validation vs output encoding, and defence in depth.
Critical for any PHP developer. Those who only mention SQL injection are thinking too narrowly. Look for awareness of the full attack surface including session handling and dependency security.