"Cracking Drupal
is probably going to be
the first Drupal book I buy."
- Angie 'webchick' Byron
Appendix A, function reference, page 144 contains
db_query("SELECT name FROM {user} WHERE mail = %s", $tainted);
This should be:
db_query("SELECT name FROM {user} WHERE mail = '%s'", $tainted);
Note the quotes around %s.
Heine
Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.
Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report
If you are concerned about whether your site is secure, consider using the Security Review Module to get an initial sense. If you're looking for something much more in depth than a module or a book, Growing Venture Solutions offers a Security Review Service for Drupal Sites.