By ayaniv on

hello,

im a fresh new user of drupal.
what security issues drupal handle?
is letting my visitors to fill in a drupal-based form is secure?
is drupal has any kind of input check of the forms?
in case not, can i add my own HTML form to an existing drupal-website, where i handle this myself?

what about the Database of drupal, is it safe from web-forms attack?

another question:
how can i import data into dupal's database?

Categories: Drupal 6.x

Comments

michelle’s picture

michelle
she/her
Primary language English
Location Wisconsin, USA
commented

http://drupal.org/node/360052 is likely a good place to start reading. If you really want to get in depth, there's Cracking Drupal.

For your specific questions, there is a security team actively dealing with issues in the maintained versions of Drupal core (currently 5 & 6) as well as contributed modules. Letting users fill in a form is secure; it's what you do with the data afterwards that may be insecure. Drupal doesn't check on input but rather on output. The "input formats" really should be "output formats". You can add your own forms by using the forms API (aka FAPI) but getting into that is more than I can do here. I don't know of any way they could attack your database from within Drupal as long as you aren't letting folks write their own queries, including SQL injection. Importing data is a whole 'nother topic...

Michelle

ayaniv’s picture

ayaniv commented

if drupal wont check the inputs
how it can handle with sql injection?

thanx for your answer,
Yaniv

heine’s picture

heine commented

See

http://drupal.org/node/101495
http://drupal.org/node/101496

If people provide you with links to explanations, it is considered common courtesy to read them.