Re: PHP snippets (once again)

On Sun, 07 May 2006 17:51:08 +0200, Kieran Lal <kieran@xxxxxxxxxxxxxxxxxx>  
wrote:

> How about a write page called common security flaws in snippets.   In  
> the Drupal community we spend more time explaining coding style then we  
> do teaching new users how to avoid security flaws in contributed modules  
> or in snippets.  Security awareness has to become part of the culture  
> and that means explaining security vulnerabilities in public and  
> educating the community.
>
> Cheers,
> Kieran

Good idea. If I'm not mistaken, many module authors would also benefit  
from this. I imagine several short points with links to more verbose pages  
(such as http://drupal.org/node/28984: How to handle text in a secure  
fashion).

I think the snippet pages are a great asset to the community, and while we  
tell people to look carefully at the snippets before using, I think we  
must protect people that don't know much about php & security.

I've reviewed 45 snippets right now:
22 ok
22 not ok (6 XSS, 2 SQL injection, rest access restriction bypass)
1 uncertain
1 duplicates drupal functionality
--
Pending work: http://drupal.org/project/issues/documentation/
List archives: http://lists.drupal.org/pipermail/documentation/