When users interact with Drupal, it is typically through a series of forms, such as the node submission form or the comment submission form. Users might also post remotely to a Drupal-based blog using the blogapi module. Drupal's approach to user input can be summarized as store the original; filter on output. The database should always contain an accurate representation of what the user entered. As user input is being prepared to be incorporated into a web page, it is sanitized.
Security breaches can be caused when text entered by a user is executed inside your program. This can happen when you don't think about the full range of possibilities when you write your program. You might expect users to enter only standard characters, when in fact they could enter nonstandard strings, such as control characters. You might have seen URLs with the string %20 in them; for example, http://example.com/my%20document. html. This is a space character that has been encoded in compliance with the URL specification (see http ://www.w3 .org/ Addressing/URL/url-spec.html). When someone saves a file named my document.html and it's served by a web server, the space is encoded. The % denotes an encoded character, and the 20 shows that this is ASCII character 20. Tricky use of encoded characters by nefarious users can be problematic, as you'll see later in this chapter.
Was this article helpful?