Re: PHP snippets (once again)

Heine,

Is there a document that details how not to produce such code, and gives
examples of how each of these types of vunerabilities may be created and
resolved? If not then creating such a document should be a priority.

Best Regards,
Sami Khan

> Dear doc team,
>
> I looked at several snippets yesterday and to my horror many of them
> contain *obvious*, major security holes. I've spoken with the leader of
> the security team (chx) and we agreed to unpublish all obviously insecure
> snippets, then have a discussion based on numbers (ok vs. not ok) and how
> to proceed.
>
> In the limited sample set I've reviewed until now > 50% of the snippets
> either
>
> - bypass 'access' security (sometimes titles, sometimes full nodes)
> - allow XSS
> - allow SQL injection
> - allow a combination of the above
>
> Regards,
>
> Heine
>
> PS Should we decide to continue with php snippets in this way, I'll also
> be the one to publish them again :(
> --
> Pending work: http://drupal.org/project/issues/documentation/
> List archives: http://lists.drupal.org/pipermail/documentation/
>

--
Pending work: http://drupal.org/project/issues/documentation/
List archives: http://lists.drupal.org/pipermail/documentation/