[support] Referencing the body field

Shai Gluskin shai at content2zero.com
Fri Oct 9 12:06:50 UTC 2009 

Emma,

What I meant is that other authenticated users shouldn't be able to input
php. Typically only user/1 would be able to enter php and even some people
recommend that the php input module be turned off and that all php should be
in the code base and not stored in the database.

So let's say you developed the site and then handed off the site to content
administrators, you wouldn't want those content administrators to be able to
edit fields that have the php input filter turned on. That means they
wouldn't have any editorial control over that node (other than editing the
contents of the embedded node) without contacting you. OR, you'd have to
give them permission to edit php filter-enabled nodes, and then you'd have
the vulnerability.

But if you are the sole editor of the site and you aren't planning on
creating other editor/admin roles, then the snippet approach is fine.

When developing a site it's always a good idea to think about maintenance of
the site and the future of the site even while you are building the site
now.

I was just on a webinar with Drupal security guru Greg Knaddison. One of the
things that his firm does is security audits of Drupal sites. He said that
the vast majority of the problems they find are with custom code. I know
those snippets that Luca shared are really basic. But one misplaced or
missing semi-colon can take down a site. I say, when there is a reasonable
alternative that can prevent you from writing code, even if you know how,
then you've made your site stronger and more maintainable.

Shai

On Fri, Oct 9, 2009 at 7:08 AM, Emma Badger <emma.badger at chocolateteapot.net
> wrote:

> Thanks to both of you that answered.  I think option 1 is exactly what
> I want.
>
> I didn't quite understand this Shai.
> But if you take that approach you won't be able to give
> access to that node to non-dev site admins without making your site
> vulnerable.
>
> Anonymous users can see the content of the other node.  Or do you mean
> that anonymous users shouldn't be allowed to input php - if so, yes
> that's how I have it set up, and it's just me that will need this
> functionality.
>
> Thanks again.
>
> Emma
>
> On 9 Oct 2009, at 12:22, luca capra wrote:
>
> > in node1 body, with php filter
> > <?php
> >  $node2 = node_load(156);
> >  echo $node2->body;
> > ?>
> >
> > or in template.php
> >
> > YOURTHEME_preprocess_node(&$vars, $hook){
> >  $nid = 1; // the nid of node container
> >  if(arg(0)==node && arg(1)==$nid){
> >    $node2 = node_load(156);
> >    $vars['content'] .= $node2->body;
> >  }
> > }
> >
> > (then clear the cache in admin/settings/performance)
> >
> > both should works.
> >
> >
> > Emma Badger ha scritto:
> >> I would like to include the content of the body field of node 156 in
> >> the body of another node using php.  Is this easy to do?
> >>
> >> Any help would be appreciated.
> >>
> >> Regards
> >>
> >> Emma
> >>
> >>
> > --
> > [ Drupal support list | http://lists.drupal.org/ ]
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20091009/54928fbc/attachment.html

More information about the support mailing list