Thread

On that note, if you are giving untrusted people access to your site or SFTP account, create a temporary user for them, restrict access as much as possible, and remove their account when done.

I’d suggest that if you are giving ANYONE temporary access, even someone you trust, lock that person out when they are done.  When something DOES go wrong, you then don’t even have to suspect them if you’ve locked them out—and sadly sometimes an exploiter is someone you’ve trusted.  This includes access to SFTP, phpMyAdmin, and your EE CP.

Thanks.  My question was more in the direction of whether EE truly checks all built-in module inputs for SQL injection attacks? It seems implied, but just wanted to check. Thanks.

Thanks.  My question was more in the direction of whether EE truly checks all built-in module inputs for SQL injection attacks? It seems implied, but just wanted to check. Thanks.

Yes, in first party code, validating input, escaping data before using in queries, and cross-site scripting attack prevention among other things are the standard de jour.