O'Reilly logo

Drupal 7 Module Development by Ken Rickard, John Wilkins, Larry Garfield, Matt Butcher, Greg Dunlap, Matt Farina

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Securing forms in Drupal

Form handling is one of the most crucial areas of website security. Inappropriate handling of form data can lead to multiple security weaknesses including SQL injection and cross-site request forgeries (CSRF). While we cannot cover all aspects of security in a brief chapter, it is important to state some clear guidelines for Drupal module developers.

Note

See http://en.wikipedia.org/wiki/CSRF for information on CSFR, and for cross-site scripting (XSS) see http://en.wikipedia.org/wiki/XSS.

The Forms API

First and foremost, you should always use the Drupal Forms API when creating and processing forms in Drupal. For one, doing so makes your life easier because the Forms API contains standards for form definition, AJAX handling, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required