CMS Made Simple™ Developer Resources

Module Security

Security is not optional. Every module that accepts user input, displays data, or interacts with the database must implement proper security measures. A single vulnerability in one module can compromise an entire CMSMS installation.

This chapter covers the security mechanisms CMSMS provides and how to use them correctly in your modules.

In This Chapter

The Golden Rules

  1. Never trust user input. All data from forms, URLs, cookies, and HTTP headers must be validated and sanitized.
  2. Escape all output. Any data displayed in HTML, JavaScript, or SQL must be properly escaped for its context.
  3. Check permissions on every admin action. Do not rely on navigation visibility alone.
  4. Use parameterized queries. Never concatenate user input into SQL strings.
  5. Protect forms with CSRF tokens. Use the built-in Smarty form plugins that handle this automatically.