This module takes any form input on a Drupal site and removes NULL byte poisoning from it.

This module is for you if you:

  • Want an added layer of security
  • Don't use any NULL bytes on purpose (which you don't)
  • Use any form of PHP built-in authentication such as LDAP

How to test:

  • Use null byte poisoning on a vulnerable website, e.g.: with Tamper Data for Firefox
  • Install this module
  • Try again and fail to hack the website through NULL byte poisoning

Important note

This module only filters $form_state['values'] as it is the most common and effective attack vector for NULL byte poisoning. If, for some reason, you save data to or use data from other parts of the $form_state, it is not protected.

Project information

  • caution Minimally maintained
    Maintainers monitor issues, but fast responses are not guaranteed.
  • caution Maintenance fixes only
    Considered feature-complete by its maintainers.
  • Module categories: Security
  • Created by kristiaanvandeneynde on , updated
  • shieldStable releases for this project are covered by the security advisory policy.
    Look for the shield icon below.

Releases

7.x-1.1 Stable release covered by the Drupal Security Team released 18 November 2014
Works with Drupal: 7.x
✓ Recommended by the project’s maintainer.

Using Composer to manage Drupal site dependencies