Retired Documentation:  You are using the documentation for version 1.7.3 which was retired in 2013. Go here for the latest version documentation or check here for your available upgrades to the latest version.

Security Guidelines

Table of Contents

Guidelines

Cross Site Scripting (XSS)

Cross Site Scripting is a type of security vulnerability that allows code injection by malicious users onto a page. You can find some educational reading and examples on the following site: http://ha.ckers.org/xss.html

Cross Site Scripting should be taken very seriously as you would never want your add-on to be the source of an attack vector.

SQL Injection Prevention

SQL Injection is a special type of attack in which data is used in a query without being properly filtered, allowing a user to execute their own queries on the database. Example:

$evil = "brett'; DELETE FROM exp_members;"; $query = $DB->query("SELECT * FROM exp_members WHERE username='{$evil}'");

For more information, you can read MySQL's guide to SQL Injection security: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf

Preferences and Settings

Tag Parameters

Secure Forms

To help prevent spam and protect against Cross-site Request Forgery (CSRF), ExpressionEngine has a "Secure Form" setting that uses a hash stored in the database tied to the IP address of the machine that the form was generated for. Here is how to make use of it.

Handling Form Submissions

Form submissions are the most common form of user input you will handle in your add-ons, so it is important to understand how to deal with them securely.

Filename Security

Typography Class

Use the Typography class whenever outputting blocks of content from user submitted data. It is regularly updated to improve security and performance, saving you both time and energy.

General Security Practice

Top of Page