Home

Errata - Known errors in the manuscript

Report problems or discuss the book in the forum (registration required).

Feedback from Chris Shattuck August 24

Chris Shattuck wrote a nice review that includes various bits of advice for improvement:

http://chrisshattuck.com/blog/book-review-cracking-drupal-greg-knaddison

Most notable
* Not enough coverage of form tokens and Ajax
* More advice on SSL and mixed-mode SSL
* Needs more humor (maybe)

Security problem with the listing on page 131 May 8

The code listing at the very bottom of the page (using node_access()) lacks the necessary call to check_plain() for the node title passed to drupal_set_message().

Correction in the code on page 130 May 8

In the listing for the function unvulnerable_show_me_the_data(), the first line of the function seems to have a typo:

drupal_set_title(t('Searching for %suser-name', array('%user-name' => $user_search)));

The bolded placeholder in the text above passed to the translate function should probably be %user-name instead of %suser-name.

Correction on page 118 May 8

On page 118 of the text:

"A user can just as easily request example.com/com/misc/drupal.js"

The example URL should be: example.com/misc/drupal.js

Correction on page 37 May 7

On page 37 of Cracking Drupal, the "simple command to see if your site has changed" is listed as:
cd diff -up

However, shouldn't the command be this?:
cvs diff -up