Security for template files in ProcessWire

While ProcessWire handles a lot of the common security considerations before your template files are even loaded, you should also follow security best practices within your template files as you would in any other PHP framework.

Your ProcessWire installation is only as secure as your template files. ProcessWire template files are PHP files, and anything that is possible in PHP is also possible in your template files.

If your template files deal with any kind of user input, they must sanitize and validate any user input. Never send any kind of user input directly to ProcessWire's API methods (other than those provided by $sanitizer) without first sanitizing it, and validating it where appropriate.

For example, here is something you don't want to do. This code block is sending the GET variable $text directly to a $pages->find() call, without sanitizing the value or even confirming that it was present:

// do not do this
$text = $input->get('text');
$items = $pages->find("body%=$text"); 

Here is the same example as above, but with sanitization (for use in a selector string) and confirmation that the value is present before attempting to use it:

$text = $sanitizer->selectorValue($input->get('text'));
if($text) {
  $items = $pages->find("body%=$text");
}

This is only a single ProcessWire-specific example, but the scope of PHP best practices for handling user input is outside the scope of this document. When in doubt, ask in our forums. If dealing with user input, get familiar with ProcessWire's built-in $sanitizer as well as general PHP data filtering and sanitization and other PHP security best practices, as your project scope and needs dictate.

Twitter updates

  • ProcessWire 3.0.142 has a lot of updates but the biggest is the addition of custom fields support for file and image fields. In this post, we take a closer look at that, and also outline all of the new features in the just-released FormBuilder v40— More
    11 October 2019
  • This week’s dev branch version brings you improvements to ProcessWire’s input->cookie API variable, plus it adds the ability to modify system URLs and paths at runtime. This post also includes some examples to demonstrate just how useful this can be— More
    20 September 2019
  • New post: This week we’ll take a look at a new version of FormBuilder that's on the way (with a screencast), as well as the latest version of the core: ProcessWire 3.0.140— More
    6 September 2019

Latest news

  • ProcessWire Weekly #283
    The 283rd issue of ProcessWire Weekly introduces ProcessWire 3.0.142 and FormBuilder v40, highlights some conference content, and features a new weekly poll continuing with the #processwireworks theme. Read on!
    Weekly.pw / 12 October 2019
  • ProcessWire 3.0.142 core updates
    This latest version of the core on the dev branch has a lot of updates, bnd the biggest is the addition of custom fields support for file and image fields. In this post, we take a closer look and also outline all of the new features in the just-released FormBuilder v40.
    Blog / 11 October 2019
  • Subscribe to weekly ProcessWire news

“The end client and designer love the ease at which they can update the website. Training beyond how to log in wasn’t even necessary since ProcessWire’s default interface is straightforward.” —Jonathan Lahijani