Errata - Known errors in the manuscript

Report problems or discuss the book in the forum (registration required).

FormAPI and Semantic Forgeries

It would be nice to go into more detail about semantic forgeries in the Form API.

  • It seems that a hidden value can be changed if the value of that hidden element is set with #default_value
  • If a user alters a select list or radios or checkbox they get an error - if they alter
  • A _submit function should only use values from the $form_statue['values'] and not from $_POST and not from $form_state['clicked_button']['#post']

db_query bare %s

Appendix A, function reference, page 144 contains


db_query("SELECT name FROM {user} WHERE mail = %s", $tainted);

This should be:


db_query("SELECT name FROM {user} WHERE mail = '%s'", $tainted);

Note the quotes around %s.

Heine

if passwords are weak, clear them in the script

The book talks about how the password hash in 6.x and below is weak, but then does not include the password in the list of things to sanitize when sharing your database.

Feedback from Chris Shattuck

Chris Shattuck wrote a nice review that includes various bits of advice for improvement:

http://chrisshattuck.com/blog/book-review-cracking-drupal-greg-knaddison

Most notable
* Not enough coverage of form tokens and Ajax
* More advice on SSL and mixed-mode SSL
* Needs more humor (maybe)

Security problem with the listing on page 131

The code listing at the very bottom of the page (using node_access()) lacks the necessary call to check_plain() for the node title passed to drupal_set_message().