Security for template files in ProcessWire

While ProcessWire handles a lot of the common security considerations before your template files are even loaded, you should also follow security best practices within your template files as you would in any other PHP framework.

Your ProcessWire installation is only as secure as your template files. ProcessWire template files are PHP files, and anything that is possible in PHP is also possible in your template files.

If your template files deal with any kind of user input, they must sanitize and validate any user input. Never send any kind of user input directly to ProcessWire's API methods (other than those provided by $sanitizer) without first sanitizing it, and validating it where appropriate.

For example, here is something you don't want to do. This code block is sending the GET variable $text directly to a $pages->find() call, without sanitizing the value or even confirming that it was present:

// do not do this
$text = $input->get('text');
$items = $pages->find("body%=$text"); 

Here is the same example as above, but with sanitization (for use in a selector string) and confirmation that the value is present before attempting to use it:

$text = $sanitizer->selectorValue($input->get('text'));
if($text) {
  $items = $pages->find("body%=$text");
}

This is only a single ProcessWire-specific example, but the scope of PHP best practices for handling user input is outside the scope of this document. When in doubt, ask in our forums. If dealing with user input, get familiar with ProcessWire's built-in $sanitizer as well as general PHP data filtering and sanitization and other PHP security best practices, as your project scope and needs dictate.

Twitter updates

  • New post: This week we take a look at what’s in ProcessWire 3.0.126 which focuses largely on resolving issue reports, but also includes a handy new Page if() method— More
    15 February 2019
  • New post: ProcessWire 3.0.125 has several useful new Sanitizer methods & options, plus new ways to access them directly from the Input API variable. This makes handling user input even easier than before. Plus updates to our i18n functions & API docs— More
    25 January 2019
  • New post: In this week’s post, we’ll take a look a look at the new website and focus on some parts of it and how they were built. Then we’ll dive into the latest version of ProcessWire on the dev branch, version 3.0.124— More
    11 January 2019

Latest news

  • ProcessWire Weekly #249
    In the 249th issue of ProcessWire Weekly we're going to walk you through the latest core updates (ProcessWire 3.0.126), introduce a new third party module called Page Access Releasetime, and pick a new site of the week. Read on!
    Weekly.pw / 16 February 2019
  • ProcessWire 3.0.126 core updates
    This week we take a look at what’s in ProcessWire 3.0.126 which focuses largely on resolving issue reports, but also includes a handy new $page->if() method. 
    Blog / 15 February 2019
  • Subscribe to weekly ProcessWire news

“I am currently managing a ProcessWire site with 2 million+ pages. It’s admirably fast, and much, much faster than any other CMS we tested.” —Nickie, Web developer