Drupal 7 Module Development

Recommendations

Info

Filtering The following guidelines then should guide us as to how to properly screen incoming data: Appendix B • If we know in advance that a given piece of data is supposed to be numeric, and logically would not make sense otherwise, cast it to an integer or a float in order to filter out unsafe strings. • If we know in advance that there are a fixed number of possible values a piece of data could hold, outrightly reject any values that are not one of those on the allowed list. In most cases, Drupal's form API does this for us. • Do not filter out HTML tags when saving textual data to the database, as whether those tags are appropriate or not depends on where they get displayed later. • Treat any textual data, even if it comes from our own database, as unsafe until filtered at display time. Drupal provides a number of tools for filtering textual data. The most important are: • filter_xss() will strip out all HTML tags except those in a specified list. The default list is reasonably safe. • filter_xss_admin() is the same as filter_xss(), but with a very permissive tag list. It is best used for text that we know will only be entered by a trusted administrator. • check_markup() will filter a piece of text according to a specified set of filter rules, which are configured through the administrative UI as text formats. • check_plain() takes a more sledgehammer approach to a piece of text. Rather than removing untrustworthy HTML tags, it escapes all HTML tags so that they will appear literally in the browser. See below for more on escaping. Escaping HTML Escaping, by contrast, does not remove content from a piece of data but encodes it in a format that another system expects to avoid confusing that system. For instance, if we want to print HTML tags to the page such that the user can see them, we need to escape the < and > characters using HTML entity codes. The two most common systems that Drupal will be sending data to are an SQL database and the web browser, and both require different approaches. [ 377 ]
Security For output to the browser, check_markup() may be configured to escape HTML or other content. The check_plain() function takes a somewhat more sledge-hammer approach, escaping all HTML in a string so that it displays verbatim on the page for the user to see. SQL injection For writing to the database, Drupal's database layer is built on the concept of prepared statements. Prepared statements, among other things, cleanly separate the SQL query from the variable data in it. That allows the database server itself to sanely construct a query while escaping input itself, avoiding the common attack known as "SQL injection". For example, a value that contains an apostrophe causes a syntax error in an SQL statement (since single quotes have meaning in SQL) at best, or allows an arbitrary extra SQL query to sneak into the command at worst. To avoid that problem, never, ever put a variable into an SQL string directly. When writing a query against Drupal's database, always ensure that the query portion is a single string literal using placeholders and then provide values for the placeholders. Doing so will allow the database to separate the query template from the variable content and avoid SQL injection. If the query itself is variable, use the dynamic query builder, db_select(). SQL injection from badly written queries is the most common, and the most easily avoidable, form of security vulnerability. Node access control A particularly Drupal-specific security question is how to control access to nodes. While Drupal's permission system handles the common use case of globally-readable nodes and limited access to edit or delete nodes, there are plenty of cases where we need more complex access control. Drupal's node access system handles those cases, but it requires that we tie into it every time we look up nodes, that is, any time we run a query that tries to find records in the node table. Since there are so many varied situations where nodes could be used, such additional access checks can only be done at the database level, that is, in the query itself. Fortunately, Drupal allows modules to manipulate certain types of queries before they are executed to add any sort of filtering. In order to allow Drupal to modify our queries, we need to "tag" them appropriately. [ 378 ]
Page 1 and 2:
www.allitebooks.com
Page 3 and 4:
Drupal 7 Module Development Copyrig
Page 5 and 6:
Foreword Drupal has its roots in th
Page 7 and 8:
About the Authors Matt Butcher is a
Page 9 and 10:
Larry Garfield is a Senior Architec
Page 11 and 12:
John Albin Wilkins has been a web d
Page 13 and 14:
Jojodae Ganesh Sivaji has been invo
Page 15 and 16:
Why Subscribe? • Fully searchable
Page 17 and 18:
Table of Contents Tools for develop
Page 19 and 20:
Table of Contents A shortcut for sy
Page 21 and 22:
Table of Contents Using hook_node_a
Page 23 and 24:
Table of Contents Creating a task 3
Page 25 and 26:
Preface Chapter 5, Building an Admi
Page 27 and 28:
Preface The system for handling thi
Page 30 and 31:
Developing for Drupal 7 Drupal is a
Page 32 and 33:
However, what we do want to start w
Page 34 and 35:
The Operating System Chapter 1 Wind
Page 36 and 37:
Chapter 1 Drupal core is the founda
Page 38 and 39:
Chapter 1 The database We have take
Page 40 and 41:
Chapter 1 The responsibility of the
Page 42 and 43:
Chapter 1 While one could imagine t
Page 44 and 45:
Chapter 1 We assume that you have y
Page 46:
Chapter 1 The following are a few o
Page 49 and 50:
Creating Your First Module We are g
Page 51 and 52:
Creating Your First Module As obvio
Page 53 and 54:
Creating Your First Module By Drupa
Page 55 and 56:
Creating Your First Module The next
Page 57 and 58:
Creating Your First Module When Dru
Page 59 and 60:
Creating Your First Module Doxygen-
Page 61 and 62:
Creating Your First Module The help
Page 63 and 64:
Creating Your First Module Drupal s
Page 65 and 66:
Creating Your First Module Finally,
Page 67 and 68:
Creating Your First Module Here's o
Page 69 and 70:
Creating Your First Module ); } } r
Page 71 and 72:
Creating Your First Module Not in J
Page 73 and 74:
Creating Your First Module There ar
Page 75 and 76:
Creating Your First Module The exam
Page 77 and 78:
Creating Your First Module Setting
Page 79 and 80:
Creating Your First Module } ); pub
Page 81 and 82:
Creating Your First Module You migh
Page 83 and 84:
Creating Your First Module The repo
Page 85 and 86:
Drupal’s Theme Layer This book is
Page 87 and 88:
Drupal’s Theme Layer There are ac
Page 89 and 90:
Drupal’s Theme Layer Theme engine
Page 91 and 92:
Drupal’s Theme Layer Preprocess f
Page 93 and 94:
Drupal’s Theme Layer A Drupal the
Page 95 and 96:
Drupal’s Theme Layer The theme()
Page 97 and 98:
Drupal’s Theme Layer Now, if you
Page 99 and 100:
Drupal’s Theme Layer A similar pr
Page 101 and 102:
Drupal’s Theme Layer Now, that wa
Page 103 and 104:
Drupal’s Theme Layer • #suffix:
Page 105 and 106:
Drupal’s Theme Layer Two powerful
Page 107 and 108:
Drupal’s Theme Layer 'menu_tree__
Page 109 and 110:
Drupal’s Theme Layer If a functio
Page 111 and 112:
Drupal’s Theme Layer We've also s
Page 113 and 114:
Drupal’s Theme Layer Summary You'
Page 115 and 116:
Theming a Module After all, if you
Page 117 and 118:
Theming a Module * Enables a single
Page 119 and 120:
Theming a Module * First draft! * *
Page 121 and 122:
Theming a Module Theming a Drupal b
Page 123 and 124:
Theming a Module Converting a theme
Page 125 and 126:
Theming a Module if (is_array($elem
Page 127 and 128:
Theming a Module Notice that the .b
Page 129 and 130:
Theming a Module } $block['content'
Page 131 and 132:
Theming a Module } 'variables' => a
Page 133 and 134:
Theming a Module } // Theme the use
Page 135 and 136:
Theming a Module // Create links fo
Page 137 and 138:
Theming a Module } // Load the acco
Page 139 and 140:
Theming a Module * - $user: The use
Page 141 and 142:
Theming a Module Summary In this ch
Page 143 and 144:
Building an Admin Interface Startin
Page 145 and 146:
Building an Admin Interface $items[
Page 147 and 148:
Building an Admin Interface 'access
Page 149 and 150:
Building an Admin Interface Each ar
Page 151 and 152:
Building an Admin Interface Other p
Page 153 and 154:
Building an Admin Interface Each el
Page 155 and 156:
Building an Admin Interface Drupal
Page 157 and 158:
Building an Admin Interface This is
Page 159 and 160:
Building an Admin Interface Form su
Page 161 and 162:
Building an Admin Interface A short
Page 163 and 164:
Building an Admin Interface } retur
Page 165 and 166:
Building an Admin Interface PHP mai
Page 167 and 168:
Building an Admin Interface Impleme
Page 169 and 170:
Building an Admin Interface Debuggi
Page 171 and 172:
Building an Admin Interface This te
Page 174 and 175:
Working with Content Drupal 7 intro
Page 176 and 177:
Chapter 6 The Schema API allows dat
Page 178 and 179:
'fields' => array( 'aid' => array(
Page 180 and 181:
Chapter 6 'fieldable' => TRUE, 'ent
Page 182 and 183:
Chapter 6 The return value from the
Page 184 and 185:
Chapter 6 In our case, we defined t
Page 186 and 187:
Chapter 6 Most entity operations in
Page 188 and 189:
[ 165 ] Chapter 6 This callback sim
Page 190 and 191:
Chapter 6 This page will simply gen
Page 192 and 193:
Chapter 6 This hook defines a new f
Page 194 and 195:
Submit callback The submit callback
Page 196 and 197:
Chapter 6 // Save the initial revis
Page 198 and 199:
Chapter 6 Master/slave database con
Page 200 and 201:
Chapter 6 array($artwork->aid => $a
Page 202 and 203:
Chapter 6 'access arguments' => arr
Page 204 and 205:
Chapter 6 } foreach ($artworks as $
Page 206 and 207:
Creating New Fields In the last cha
Page 208 and 209:
Chapter 7 Although an advanced topi
Page 210 and 211:
Chapter 7 The most important magic
Page 212 and 213:
Chapter 7 } } '#type' => 'select',
Page 214 and 215:
Chapter 7 Exposing fields to the Fo
Page 216 and 217:
Chapter 7 $element['width'] = array
Page 218 and 219:
Chapter 7 if ($widget['type'] == 'd
Page 220 and 221:
Chapter 7 } return; 'field_ui_field
Page 222 and 223:
Chapter 7 } function theme_dimfield
Page 224 and 225:
Chapter 7 } '@height' => $item['hei
Page 226 and 227:
Chapter 7 } else if ($settings['uni
Page 228 and 229:
Chapter 7 We can, of course, have m
Page 230 and 231:
Chapter 7 To demonstrate how entity
Page 232 and 233:
[ 209 ] Chapter 7 Now look at that
Page 234 and 235:
Drupal Permissions and Security Per
Page 236 and 237:
Chapter 8 The preceding code checks
Page 238 and 239:
Chapter 8 If we had accidentally ru
Page 240 and 241:
Chapter 8 The user_access() functio
Page 242 and 243:
In the first case, Are we looking a
Page 244 and 245:
Chapter 8 Declaring your own access
Page 246 and 247:
} Chapter 8 'page callback' => 'exa
Page 248 and 249:
Chapter 8 if (!flood_is_allowed('co
Page 250 and 251:
[ 227 ] Chapter 8 Enabling permissi
Page 252 and 253:
Chapter 8 } $permissions = array( '
Page 254 and 255:
Chapter 8 This approach is the prop
Page 256 and 257:
Chapter 8 Running access checks on
Page 258 and 259:
Chapter 8 Handling AJAX callbacks s
Page 260 and 261:
Chapter 8 As a result, we cannot tr
Page 262 and 263:
Chapter 8 This allows us to pass a
Page 264 and 265:
Node Access Out-of-the-box, Drupal
Page 266 and 267:
Chapter 9 The Node Access API allow
Page 268 and 269:
* - "delete" * - "create" * @param
Page 270 and 271:
Chapter 9 if (!user_access('access
Page 272 and 273:
Chapter 9 } if (module_implements('
Page 274 and 275:
Chapter 9 hook_node_access() is the
Page 276 and 277:
Chapter 9 Note that the {node_acces
Page 278 and 279:
Chapter 9 The basic permission 'cre
Page 280 and 281:
Chapter 9 It is a good idea to writ
Page 282 and 283:
Chapter 9 On node listing pages, th
Page 284 and 285:
Chapter 9 Writing a complete node a
Page 286 and 287:
• Can this user bypass node acces
Page 288 and 289:
Chapter 9 For our test module, we w
Page 290 and 291:
Chapter 9 When hook_node_access_rec
Page 292 and 293:
Chapter 9 A few things to consider
Page 294 and 295:
Chapter 9 Security considerations T
Page 296 and 297:
Chapter 9 Rebuilding the {node_acce
Page 298 and 299:
Chapter 9 Using the new hook_node_a
Page 300 and 301:
Chapter 9 We may alter any element
Page 302 and 303:
Chapter 9 } // Check anonymous user
Page 304 and 305:
Chapter 9 // Check the permission.
Page 306 and 307:
Chapter 9 The key to Devel Node Acc
Page 308 and 309:
Chapter 9 In the preceding case, th
Page 310 and 311:
JavaScript in Drupal JavaScript is
Page 312 and 313:
Chapter 10 Adding JavaScript and CS
Page 314 and 315:
Chapter 10 When a JavaScript librar
Page 316 and 317:
The following code adds a system CS
Page 318 and 319:
Chapter 10 The second argument can
Page 320 and 321:
Chapter 10 From here onwards, when
Page 322 and 323:
Chapter 10 If a renderable array is
Page 324 and 325:
Chapter 10 Drupal specific JavaScri
Page 326 and 327:
Chapter 10 There are three ways var
Page 328 and 329:
Chapter 10 AJAX helpers Included in
Page 330 and 331:
The callback function hello_world_s
Page 332 and 333:
Chapter 10 Once the response is set
Page 334 and 335:
ajax_command_prepend To add content
Page 336 and 337:
Working with Files and Images Drupa
Page 338 and 339:
Chapter 11 It is very important tha
Page 340 and 341:
Chapter 11 In order to open files f
Page 342 and 343:
Chapter 11 Stream wrappers If you'v
Page 344 and 345:
Chapter 11 In some cases you may no
Page 346 and 347:
Chapter 11 A read-only stream wrapp
Page 348 and 349:
Chapter 11 } 'type' => STREAM_WRAPP
Page 350 and 351: Chapter 11 For full details of thes
Page 352 and 353: Chapter 11 After this setup, we sta
Page 354 and 355: Chapter 11 This is all very cool, b
Page 356 and 357: Chapter 11 This is where you can st
Page 358 and 359: Chapter 11 • form callback: If yo
Page 360 and 361: Chapter 11 Finally we can make the
Page 362 and 363: Chapter 11 Pretty cool right? Howev
Page 364 and 365: Chapter 11 As you can see, there is
Page 366 and 367: Installation Profiles This chapter
Page 368 and 369: Chapter 12 Profile modules and them
Page 370 and 371: Enabling modules Just like modules
Page 372 and 373: Chapter 12 • display_name: A huma
Page 374 and 375: Next, let's create a form to enter
Page 376 and 377: Chapter 12 Notice that $install_sta
Page 378 and 379: Chapter 12 Here, the task that sets
Page 380 and 381: Chapter 12 Each row being added to
Page 382 and 383: Chapter 12 // URL filter. 'filter_u
Page 384 and 385: Chapter 12 'locale' => 'en', ), //
Page 386 and 387: Database Access Although Drupal 7 h
Page 388 and 389: Appendix A Result objects The retur
Page 390 and 391: Appendix A The join() methods all r
Page 392 and 393: [ 369 ] Appendix A The db_insert()
Page 394 and 395: Appendix A A Merge query says, in e
Page 396 and 397: Appendix A Slave servers Drupal als
Page 398 and 399: Security Throughout this book, we h
Page 402 and 403: First, whenever we write a query ag
Page 404: Appendix B There are both RSS feeds
Page 407 and 408: ajax_command_alert command 309 ajax
Page 409 and 410: Drupal, subsytems blocks 20 code te
Page 411 and 412: form handling 229 forms access chec
Page 413 and 414: K key() method 371 L label property
Page 415 and 416: evision handling 175 revisions hand
Page 417 and 418: U unit test 49 update queries 370 u
Page 419 and 420: Drupal 7 ISBN: 978-1-84951-286-2 Pa
show all

Drupal 7 Module Development

Create successful ePaper yourself

Delete template?

Save as template?