Errata - Known errors in the manuscript

Report problems or discuss the book in the forum (registration required).

Security problem with the listing on page 131

The code listing at the very bottom of the page (using node_access()) lacks the necessary call to check_plain() for the node title passed to drupal_set_message().

Correction in the code on page 130

In the listing for the function unvulnerable_show_me_the_data(), the first line of the function seems to have a typo:

drupal_set_title(t('Searching for %suser-name', array('%user-name' => $user_search)));

The bolded placeholder in the text above passed to the translate function should probably be %user-name instead of %suser-name.

Correction on page 118

On page 118 of the text:

"A user can just as easily request example.com/com/misc/drupal.js"

The example URL should be: example.com/misc/drupal.js

Correction on page 37

On page 37 of Cracking Drupal, the "simple command to see if your site has changed" is listed as:
cd diff -up

However, shouldn't the command be this?:
cvs diff -up