Errata - Known errors in the manuscript

Report problems or discuss the book in the forum (registration required).

Page #65: SQL Statement is incorrect

You wrote:

db_query("SELECT title FROM node WHERE uid IN ($placeholders)", $uids);

but the correct statement is:

db_query("SELECT title FROM {node} WHERE uid IN ($placeholders)", $uids);

you've forgotten the curly braces.

discuss unserializing user data preg_* and /e

These seem to come up frequently enough that we should talk about it:

Discussion of t() is disjointed

From no warning label:

  • The book jumps around too much - especially by introducing the t() system without fully explaining it and then explaining it fully later.
  • Doesn't show how to exploit vulnerabilities enough - not technical enough.

FormAPI and Semantic Forgeries

It would be nice to go into more detail about semantic forgeries in the Form API.

  • It seems that a hidden value can be changed if the value of that hidden element is set with #default_value
  • If a user alters a select list or radios or checkbox they get an error - if they alter
  • A _submit function should only use values from the $form_statue['values'] and not from $_POST and not from $form_state['clicked_button']['#post']

db_query bare %s

Appendix A, function reference, page 144 contains


db_query("SELECT name FROM {user} WHERE mail = %s", $tainted);

This should be:


db_query("SELECT name FROM {user} WHERE mail = '%s'", $tainted);

Note the quotes around %s.

Heine