Errata - Known errors in the manuscript

Report problems or discuss the book in the forum (registration required).

Discussion of t() is disjointed

From no warning label:

  • The book jumps around too much - especially by introducing the t() system without fully explaining it and then explaining it fully later.
  • Doesn't show how to exploit vulnerabilities enough - not technical enough.

FormAPI and Semantic Forgeries

It would be nice to go into more detail about semantic forgeries in the Form API.

  • It seems that a hidden value can be changed if the value of that hidden element is set with #default_value
  • If a user alters a select list or radios or checkbox they get an error - if they alter
  • A _submit function should only use values from the $form_statue['values'] and not from $_POST and not from $form_state['clicked_button']['#post']

db_query bare %s

Appendix A, function reference, page 144 contains


db_query("SELECT name FROM {user} WHERE mail = %s", $tainted);

This should be:


db_query("SELECT name FROM {user} WHERE mail = '%s'", $tainted);

Note the quotes around %s.

Heine

if passwords are weak, clear them in the script

The book talks about how the password hash in 6.x and below is weak, but then does not include the password in the list of things to sanitize when sharing your database.

Feedback from Chris Shattuck

Chris Shattuck wrote a nice review that includes various bits of advice for improvement:

http://chrisshattuck.com/blog/book-review-cracking-drupal-greg-knaddison

Most notable
* Not enough coverage of form tokens and Ajax
* More advice on SSL and mixed-mode SSL
* Needs more humor (maybe)