[support] Referencing the body field

Emma Badger emma.badger at chocolateteapot.net
Fri Oct 9 12:11:03 UTC 2009 

Yes, I see.

Thanks for your comments, I'll bear them in mind.

Thanks again for your help.

Regards

Emma

On 9 Oct 2009, at 13:06, Shai Gluskin wrote:

> Emma,
>
> What I meant is that other authenticated users shouldn't be able to  
> input php. Typically only user/1 would be able to enter php and even  
> some people recommend that the php input module be turned off and  
> that all php should be in the code base and not stored in the  
> database.
>
> So let's say you developed the site and then handed off the site to  
> content administrators, you wouldn't want those content  
> administrators to be able to edit fields that have the php input  
> filter turned on. That means they wouldn't have any editorial  
> control over that node (other than editing the contents of the  
> embedded node) without contacting you. OR, you'd have to give them  
> permission to edit php filter-enabled nodes, and then you'd have the  
> vulnerability.
>
> But if you are the sole editor of the site and you aren't planning  
> on creating other editor/admin roles, then the snippet approach is  
> fine.
>
> When developing a site it's always a good idea to think about  
> maintenance of the site and the future of the site even while you  
> are building the site now.
>
> I was just on a webinar with Drupal security guru Greg Knaddison.  
> One of the things that his firm does is security audits of Drupal  
> sites. He said that the vast majority of the problems they find are  
> with custom code. I know those snippets that Luca shared are really  
> basic. But one misplaced or missing semi-colon can take down a site.  
> I say, when there is a reasonable alternative that can prevent you  
> from writing code, even if you know how, then you've made your site  
> stronger and more maintainable.
>
> Shai
>
> On Fri, Oct 9, 2009 at 7:08 AM, Emma Badger <emma.badger at chocolateteapot.net 
> > wrote:
> Thanks to both of you that answered.  I think option 1 is exactly what
> I want.
>
> I didn't quite understand this Shai.
> But if you take that approach you won't be able to give
> access to that node to non-dev site admins without making your site
> vulnerable.
>
> Anonymous users can see the content of the other node.  Or do you mean
> that anonymous users shouldn't be allowed to input php - if so, yes
> that's how I have it set up, and it's just me that will need this
> functionality.
>
> Thanks again.
>
> Emma
>
> On 9 Oct 2009, at 12:22, luca capra wrote:
>
> > in node1 body, with php filter
> > <?php
> >  $node2 = node_load(156);
> >  echo $node2->body;
> > ?>
> >
> > or in template.php
> >
> > YOURTHEME_preprocess_node(&$vars, $hook){
> >  $nid = 1; // the nid of node container
> >  if(arg(0)==node && arg(1)==$nid){
> >    $node2 = node_load(156);
> >    $vars['content'] .= $node2->body;
> >  }
> > }
> >
> > (then clear the cache in admin/settings/performance)
> >
> > both should works.
> >
> >
> > Emma Badger ha scritto:
> >> I would like to include the content of the body field of node 156  
> in
> >> the body of another node using php.  Is this easy to do?
> >>
> >> Any help would be appreciated.
> >>
> >> Regards
> >>
> >> Emma
> >>
> >>
> > --
> > [ Drupal support list | http://lists.drupal.org/ ]
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
> -- 
> [ Drupal support list | http://lists.drupal.org/ ]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20091009/7c1d4459/attachment.html

More information about the support mailing list