Security for template files in ProcessWire

While ProcessWire handles a lot of the common security considerations before your template files are even loaded, you should also follow security best practices within your template files as you would in any other PHP framework.

Your ProcessWire installation is only as secure as your template files. ProcessWire template files are PHP files, and anything that is possible in PHP is also possible in your template files.

If your template files deal with any kind of user input, they must sanitize and validate any user input. Never send any kind of user input directly to ProcessWire's API methods (other than those provided by $sanitizer) without first sanitizing it, and validating it where appropriate.

For example, here is something you don't want to do. This code block is sending the GET variable $text directly to a $pages->find() call, without sanitizing the value or even confirming that it was present:

// do not do this
$text = $input->get('text');
$items = $pages->find("body%=$text"); 

Here is the same example as above, but with sanitization (for use in a selector string) and confirmation that the value is present before attempting to use it:

$text = $sanitizer->selectorValue($input->get('text'));
if($text) {
  $items = $pages->find("body%=$text");
}

This is only a single ProcessWire-specific example, but the scope of PHP best practices for handling user input is outside the scope of this document. When in doubt, ask in our forums. If dealing with user input, get familiar with ProcessWire's built-in $sanitizer as well as general PHP data filtering and sanitization and other PHP security best practices, as your project scope and needs dictate.

Twitter updates

  • Happy New Year! Today I’ve bumped the version on the dev branch to 3.0.170, and it’s quite a lot of updates. This post covers most of them. In this post, there’s also a question for you: what would you like to see in ProcessWire in 2021? More
    1 January 2021
  • In this week’s blog post we’ll take a brief look at a powerful new ProFields module for ProcessWire that’s just around the corner—the Combo field: More
    4 December 2020
  • There’s a new modules directory on the ProcessWire site now up and running. In this post we’ll cover a few details about what’s changed and what’s new—More
    20 November 2020

Latest news

  • ProcessWire Weekly #347
    In the 347th issue of ProcessWire Weekly we'll check out ProcessWire 3.0.170, introduce the PDF Fieldtype/Inputfield module, and more. Read on!
    Weekly.pw / 2 January 2021
  • ProcessWire 3.0.170 core updates
    Happy New Year! Today I’ve bumped the version on the dev branch to 3.0.170, and it’s quite a lot of updates. This post covers most of them. In this post, there’s also a question for you: what would you like to see in ProcessWire in 2021?
    Blog / 1 January 2021
  • Subscribe to weekly ProcessWire news

“Yesterday I sent the client a short documentation for their ProcessWire-powered website. Today all features already used with no questions. #cmsdoneright—Marc Hinse, Web designer/developer