2. AGENDA
❏ Importance of secure coding
❏ Database security
❏ Session hijacking
❏ Text security
❏ Cross-site scripting
❏ Safely impersonating another user
3. Why secure coding is important?
❏ Security isn’t an option
❏ Link in the chain on design security
❏ Security by obscurity is myth
❏ Proactive prevention is more effective than reactive detection
❏ Hackers, crackers and attackers
4. Database Access
db_query(‘SELECT n.title FROM {node} n WHERE n.nid = ‘ . $_GET[‘nid’] );
Good practice
[D7] db_query(‘SELECT n.title FROM {node} n WHERE n.nid = :nid’, array(‘:nid’ => $_GET[‘nid’]));
[D8] Database::getConnection()->query(‘SELECT n.title FROM {node} n
WHERE n.nid = :nid’, [‘:nid’ =>
$_GET[‘nid’]]);
Bad practice
5. Dynamic queries
❏ If the query parts vary
❏ Select queries may be either static or dynamic
❏ To support multiple database servers easily
❏ Provides structural interface
❏ To enforce security checks
11. Sanitization for backend use
Text Replacement
❏ @variable
$this->placeholderFormat('This will force HTML-escaping of the replacement
value: @text', ['@text' => (string)$safe_string_interface_object));
❏ %variable
$string = "%output_text";
$arguments = ['%output_text' => 'text output here.'];
$this->placeholderFormat($string, $arguments);
16. Drupal 7
global $user;
$original_user = $user;
$old_state = drupal_save_session();
drupal_save_session(FALSE);
$user = user_load(1);
// Take your action here
$user = $original_user;
drupal_save_session($old_state);
17. Drupal 8
$accountSwitcher = Drupal::service('account_switcher');
$account = DrupaluserEntityUser::load(2);
$accountSwitcher->switchTo($account);
// Take your action here. If your code fails, then you should catch an
exception
// and switch back (see below).
// Restore user account.
$accountSwitcher->switchBack();