I’m writing a Drupal module to integrate with a custom Java-based REST API for creating, authenticating, and managing user accounts. I’m using drupal_query_string_encode to encode the calls I’m making to the API.
Should I also use something like check_plain (or something else) to sanitize username, password, & email values before calling the API? I’m most concerned with getting the password handling right, since it would be difficult to change things once the code goes live and passwords are getting hashed.
If you are posting what the user entered to an external API, you shouldn’t be sanitizing anything in Drupal, but do it in the API instead, since that is what will be storing the data etc.
Sanitizing only make sense to prevent SQL injection or to remove unwanted HTML being displayed. So you should only use check_plain to remove HTML from text input by a user before dispayed and db_query to make you SQL queries safe by using placeholders.