Drupal Code Development Security Guidelines
By Michael Ross
Sanitizing text to prevent cross-site scripting attacks is just one aspect of writing secure code in Drupal modules. One of the Drupal.org documentation pages delineates additional best practices — specifically, using the database abstraction layer to block SQL injection attacks (in code intended for Drupal 7+ and Drupal 6 or earlier), and abiding by node access restrictions through the use of the db_rewrite_sql() function. The page provides some example code for making your custom modules as bulletproof as possible, for those who are new to these important considerations.
Copyright © 2016 Michael J. Ross. All rights reserved.