Drupal，开发自定义模块，这是正确的做法

发布于 2024-10-19 10:42:35 字数 952 浏览 2 评论 0原文

以下是drupal自定义模块，

请您确认一下，

这是开发自定义模块的正确方法吗，

否则请指教，

<?php
/**
*  Implementation of hook_form_alter().
*/
function register_form_alter(&$form, $form_state, $form_id) {
  switch($form_id) {
      case 'user_register': // the value we stole from the rendered form
        // your customizations go here
         // drupal_set_message('Hey, we\'ve tapped into this form!');
         $form['account']['bharani'] = array(
            '#title' => 'bharani',
            '#type' => 'textfield',
            '#description' => t(' bharanikumar custom field '),
          );
         $form['#submit'][] = 'register_submit_handler'; // Add this

      break;
  }
}

function register_submit_handler($form, &$form_state) {
  $value = $form_state['values']['bharani'];
  $mail = $_POST['mail'];
  $query  = "UPDATE users SET language='$value' WHERE mail='$mail'";
  db_query($query);
}


?>

原文

Below is the drupal custom modules,

can u please confirm it,

is it correct way of developing the custom module,

else please advise,

<?php
/**
*  Implementation of hook_form_alter().
*/
function register_form_alter(&$form, $form_state, $form_id) {
  switch($form_id) {
      case 'user_register': // the value we stole from the rendered form
        // your customizations go here
         // drupal_set_message('Hey, we\'ve tapped into this form!');
         $form['account']['bharani'] = array(
            '#title' => 'bharani',
            '#type' => 'textfield',
            '#description' => t(' bharanikumar custom field '),
          );
         $form['#submit'][] = 'register_submit_handler'; // Add this

      break;
  }
}

function register_submit_handler($form, &$form_state) {
  $value = $form_state['values']['bharani'];
  $mail = $_POST['mail'];
  $query  = "UPDATE users SET language='$value' WHERE mail='$mail'";
  db_query($query);
}


?>

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

美人骨 2024-10-26 10:42:35

我不会回答问题的“开发自定义模块的正确方法”部分，但这里有一个关于您执行 SQL 查询的方式的注释：

您正在使用这个：

$value = $form_state['values']['bharani'];
$mail = $_POST['mail'];
$query  = "UPDATE users SET language='$value' WHERE mail='$mail'";
db_query($query);

有了这个，您的代码受到SQL注入：否无论用户将什么发送到 $_POST['mail']，它最终都会出现在查询中，不会被转义！

使用 Drupal 和 db_query ()，您应该使用类似这样的内容：

$value = $form_state['values']['bharani'];
$mail = $form_state['values']['mail'];;
$query  = "UPDATE users SET language='%s' WHERE mail='%s'";
db_query($query, $value, $mail);

这样，Drupal 将负责转义，保护您免受 SQL 注入。

I will not answer the "correct way of developing the custom module" part of the question, but here is a note about the way you're doing your SQL query :

You are using this :

$value = $form_state['values']['bharani'];
$mail = $_POST['mail'];
$query  = "UPDATE users SET language='$value' WHERE mail='$mail'";
db_query($query);

With this, your code is subject to SQL-injections : no matter what the users will send into $_POST['mail'], it'll endup in the query, un-escaped !

With Drupal and db_query(), you should, instead, use something like this :

$value = $form_state['values']['bharani'];
$mail = $form_state['values']['mail'];;
$query  = "UPDATE users SET language='%s' WHERE mail='%s'";
db_query($query, $value, $mail);

This way, Drupal will take care of the escaping, protecting you from SQL-injections.

回复收藏 0 原文

~没有更多了~