Writing secure code
Writing secure code in Drupal 7.
- Overview
- Avoid using data from $form_state['input']
- Create forms in a safe way to avoid cross-site request forgeries (CSRF)
- Database access
- Do not use /e in preg_replace() - use preg_replace_callback() instead
- File uploads, downloads and management
- Directories
- Handle text in a secure fashion
- Handling Private/Personally Identifiable Information
- Session IDs
- Use of hash functions
- Using PHP with eval() or drupal_eval()
- When to use db_rewrite_sql or ->addTag()
- Use Drupal Unicode functions for strings
- Safely Impersonating Another User
