Know about a security issue? Please alert the security team.
Whether you are writing a PHP snippet or an entire module, it is important to keep your code secure.
If you have to accommodate a variable number of arguments in your SQL, create an array of placeholders. Don't do this:
Instead, do this:
Whether you are writing a PHP snippet or an entire module, it is important to keep your code secure.
Use check functions on output to prevent cross site scripting attacks
No piece of user-submitted content should ever be placed as-is into HTML.- Use check_plain or theme('placeholder') for plain text.
- Use check_markup or filter_xss for markup containing text.
- Use the t() function with
@or%placeholders to construct safe, translatable strings.
Use the database abstraction layer to avoid SQL injection attacks
Use the database layer correctly. For example, never concatenate data directly into SQL queries, like this: db_query("SELECT foo FROM {table} t WHERE t.name = '%s' ", $_GET['user']); ?> db_query("SELECT t.s FROM {table} t WHERE t.field IN (%s)", $from_user); ?>$placeholders = implode(',', array_fill(0, count($from_user), "%d"));
db_query("SELECT t.s FROM {table} t WHERE t.field IN ($placeholders)", $from_user); ?> 
No comments:
Post a Comment