Security for template files in ProcessWire

While ProcessWire handles a lot of the common security considerations before your template files are even loaded, you should also follow security best practices within your template files as you would in any other PHP framework.

Your ProcessWire installation is only as secure as your template files. ProcessWire template files are PHP files, and anything that is possible in PHP is also possible in your template files.

If your template files deal with any kind of user input, they must sanitize and validate any user input. Never send any kind of user input directly to ProcessWire's API methods (other than those provided by $sanitizer) without first sanitizing it, and validating it where appropriate.

For example, here is something you don't want to do. This code block is sending the GET variable $text directly to a $pages->find() call, without sanitizing the value or even confirming that it was present:

// do not do this
$text = $input->get('text');
$items = $pages->find("body%=$text"); 

Here is the same example as above, but with sanitization (for use in a selector string) and confirmation that the value is present before attempting to use it:

$text = $sanitizer->selectorValue($input->get('text'));
if($text) {
  $items = $pages->find("body%=$text");
}

This is only a single ProcessWire-specific example, but the scope of PHP best practices for handling user input is outside the scope of this document. When in doubt, ask in our forums. If dealing with user input, get familiar with ProcessWire's built-in $sanitizer as well as general PHP data filtering and sanitization and other PHP security best practices, as your project scope and needs dictate.

Twitter updates

  • Core version 3.0.137 on the dev branch adds the ability to hook multiple methods at once, in a single call. This post details how it works and provides a useful example of how you might put it to use in your development environment— More
    2 August 2019
  • ProcessWire 3.0.136 updates our CKEditor version and adds a new backtrace() method to the core Debug class— More
    26 July 2019
  • New post: A look at two new WireMail modules for sending email, plus details on how you can configure ProcessWire to use Gmail for sending email— More
    19 July 2019

Latest news

  • ProcessWire Weekly #274
    The 274th issue of ProcessWire Weekly introduces three new modules, covers the latest status update from Ryan, and features the newly released website of the Brightline Initiative. Read on!
    Weekly.pw / 10 August 2019
  • ProcessWire 3.0.137 core updates
    Core version 3.0.137 on the dev branch adds the ability to hook multiple methods at once, in a single call. This post details how it works and provides a useful example of how you might put it to use in your development environment. This version also refactors and improves upon several core classes.
    Blog / 2 August 2019
  • Subscribe to weekly ProcessWire news

“We were really happy to build our new portfolio website on ProcessWire! We wanted something that gave us plenty of control on the back-end, without any bloat on the front end - just a nice, easy to access API for all our content that left us free to design and build however we liked.” —Castus, web design agency in Sheffield, UK