| tensh |
|
|---|---|
|
Hello;
I'd like to request a tutorial with a breakdown of Cotonti security measurements. I'd like to write some plugins, having it all put in a nice article would help me prevent any security holes. Also, additionally mentioned "php best practices" would be nice as well. |
| GHengeveld |
|
|---|---|
|
Basic security for you plugin is provided by following these rules:
- Use the SED_CODE check as the first line of your plugin code - ALWAYS use the sed_import() function for importing http request parameters (don't forget to use the right datatype and use the optional maxlenght if applicable) - Use sed_sql_prep() function in SQL statements, or cast using (int) for integer values (usually IDs) - Try to use Cotonti's core functions (see functions.php and database.mysql.php) instead of your own as much as possible, this includes using functions that replace default php functions such as sed_sql_query (mysql_query()) - Don't trust ANY data given by a user, always expect data to be unsafe - Don't do anything stupid A tutorial might be a good thing to have though. |
|
| This post was edited by Koradhil (2009-05-14 20:01, 14 years ago) |
| tensh |
|
|---|---|
|
Yes, indeed. I'd like to know not only security means, but also logic behind them, maybe with examples of bad use or what can happen if (something) won't be used.
Also, it would always help in safe plugin development. I saw some plugins in your download section don't obey to these rules. |
