Top 22 resources and links about Drupal security for coders, admins and management.

Developers

1. Writing secure code - SQL security.
2. Why does Drupal filter on output?
3. User input - Cross Site Scripting - using check_plain/markup.
4. Handling user input again - using placeholders for t(), user input in Forms.

How to create content types and or CCK fields in your module install/update code? I actually found this howto somewhere but I keep looking for it all the time. Here it is:

Step 1

Click the content type in UI and export it using Content Copy module into yourmodule.content.crud.inc file. Add <?php to the start of the file.

Step 2

Don't forget to add proper dependencies into it's .info file:

Unfortunately, there is no API way to programatically enable a theme in Drupal 6, therefore you have to use a direct query:


db_query("UPDATE {system} SET status = 1 WHERE type = 'theme' and name = '%s'", $theme);


I am quite surprised about it but not many people know Suhosin extension, particularly shared webhosts and even administrators of dedicated web servers. Suhosin is a well-known PHP extension made by Stefan Esser, PHP security researcher.

With any PHP software, you cannot protect yourself from unexperienced programmers, creating errors in applications that lead to most obvious security issues (unsecure include() on user input, unprotected mail forms, etc.).

There are three future Drupal events in London where you can meet me or Dynamite Heads:

Drupal Maintenance - speaking at!

Date: Thu, 26/11/2009 - 18:00 - 21:00

Many organisations put a lot of time and effort into the initial launch of a website, but give little thought to how it will be maintained once it goes live. Over the past 8 years the Drupal community has developed technologies and best practises for maintaining websites and keeping them secure, which we would like to share with you at this event.

I was just solving a problem for one of my friends, having a weird situation with Drupal statistics module:

His daily popular statistics block wasn't actually showing as "daily". Usually at 5pm, the statistics started to show zero values for top nodes today.

What I found out is that core (Drupal 6) statistics.module is using a typical programmers approach to daily stats. What does it mean if you say "daily"? It means 24 hours = 3600 minutes = 86400 seconds.

In past months, I have been working hard on Single Sign On module for Drupal. As a Drupal security team member, I have stumbled upon the module while searching for a SSO solution for Prima project.

The original Shared Sign-on module was considered critically insecure so Steven Wittens from Strutta created a complete rewrite.

I just gave a presentation about Drupal used at iPrima site at Webexpo.

Please find a copy of the slides below.

Drupal Quiz module allows administrators to create quizes for users. Quizes may include multiple questions with several types (selects, options, text fields, checkboxes). Every quiz is then rated based on score of every question.

We had a need to select random winners from quiz takers in order to simplify work for administrators. These are the requirements we had:

• Easy raffle for each quiz
• Some quizes haven't random winners - ability to assign winners manually