Drupal Code Development Security Guidelines
This article was published in the print magazine Drupal Watchdog, Volume 6 Issue 3, , on page 9, by Linux New Media.
Sanitizing text to prevent cross-site scripting attacks is just one aspect of writing secure code in Drupal modules. One of the Drupal.org documentation pages delineates additional best practices — specifically, using the database abstraction layer to block SQL injection attacks (in code intended for Drupal 7+ and Drupal 6 or earlier), and abiding by node access restrictions through the use of the db_rewrite_sql() function. The page provides some example code for making your custom modules as bulletproof as possible, for those who are new to these important considerations.
