Developers Corner

10 Drupal Secure Coding Essentials

Aug. 27 2013
Achieve Internet

A quick guide for secure Drupal code. 

In todays cyber world online security is paramount.  Russia might be taking it to the extreme, but they have recently ordered typewriters for all classified internal memos. Drupal is an incredibly secure platforms. Many of our Drupal experts and veterans here at Achieve prefer Drupal to other proprietary or “closed” platforms because of this. However, vulnerabilities do present themselves, but often times these are due to a developers mis-steps. 

There are many other reasons we here at Achieve prefer Open Source platforms to “closed” systems, which we highlight in further detail here. In this past blog post I was not able to go into extensive detail on the security and privacy features that an Open Source Content Management System (CMS) can offer.  So I teamed up with one of our Lead Architects, Shawn Smiley, and we dove into the technical aspects of Drupal to share with you some of the standard security guidelines that should always be followed when engineering Drupal sites (in addition to the Drupal Security best practices we have implemented office wide for all of our work).

  1. Secure Code BaseALWAYS validate your input and the user providing the input before rendering it on a page or using it in a database query.
  2. NEVER concatenate variables in SQL statements, but rather ALWAYS use query parameters or placeholders via the Drupal DB API.
  3. ALWAYS prefer whitelist validation checks over blacklist.
    - Whitelist is a check for a known and expected valid value.
    - Blacklist is a check for a known invalid value.
  4. NEVER enable or use PHP Input Filters in content or Views.
  5. NEVER use eval () or drupal_eval().
  6. NEVER use $_GET/$_POST in Form API calls.
  7. Don’t place the Drupal tmp folder or private_files folder under the Drupal docroot.
  8. ALWAYS assume that the user or the integrity of the data you are working with is malicious until proven otherwise.  Use the guilty until proven innocent approach when thinking about what users are allowed to do as well as the integrity of the data.
  9. Use extreme care in crafting the content of drupal_set_message() to ensure you don’t expose sensitive information.
  10. Be paranoid!  Assume everything is malicious until proven otherwise.

We always strive to develop our code in the most secure way possible, strictly adhering to the industry standards.  All of our developers stay abreast of any new application risks and ways to mitigate them by following the Open Web Application Security Project (OWASP). You can get the full Secure Drupal Coding checklist by following this link, here.  If you need help with your Drupal environment or are in need of a Drupal development firm with the over 90,000 hours of secure Drupal development experience then let us know how we can help you. 

Additional security resources:

Follow the link below to get your copy of the list in a downloadable PDF for quick and easy reference. 


More about Developers Corner

API Documentation, API, Developer Portal
Below is a comparison of the features SmartDocs and Swagger UI offers out-of-the-box for the Drupal-based developer portal. The information here is to highlight the difference between two commonly used modules and to make it clear what could work best for your business.   
  Welcome Drupal 8.6! More change to the Drupal-verse landscape, and more new features to look forward to. This will obviously affect all current D8 users, but what should you look out for? Let's examine how it might impact your site and what unexpected issues may occur.