18.10.2016 Views

Drupal 7 Module Development

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Appendix B<br />

There are both RSS feeds to subscribe to and e-mail lists we can join to get notified<br />

any time an SA is issued. All <strong>Drupal</strong> site administrators and developers should<br />

subscribe to one or the other in order to be notified when there is a security-related<br />

release. Both are, fortunately, very low-traffic.<br />

Second, <strong>Drupal</strong> itself includes a module called Update Status that will periodically<br />

connect to drupal.org to see if there is a new version of any module installed on<br />

our site. It is enabled by default but can be disabled. Don't disable it, though. In fact,<br />

it's best to keep the e-mail notification option enabled as well to remind us by e-mail<br />

when a module has a new security release. We can't keep a site secure if we don't<br />

know that it has a vulnerability to begin with.<br />

Summary<br />

Security is a large subject, and one that we could easily spend much more time<br />

discussing in greater detail. However, for the time being it is sufficient to focus<br />

on a secure approach to overall development.<br />

• Security is a process<br />

• All incoming data, from whatever source, should not be trusted until it has<br />

been verified and sanitized<br />

• Filter all data, either on input or on output as appropriate<br />

• Always filter or escape data sent to the browser in a way that makes sense,<br />

given where it will be used<br />

• Protect against SQL injection using prepared statements, and never, ever put<br />

a variable directly into an SQL query<br />

• When security vulnerabilities are discovered, don't panic, but follow<br />

established best practices to report and fix the problem<br />

• Always stay on top of available security releases for <strong>Drupal</strong> or<br />

<strong>Drupal</strong> modules<br />

[ 381 ]

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!