[support] Referencing the body field
Emma Badger
emma.badger at chocolateteapot.net
Fri Oct 9 12:11:03 UTC 2009
Yes, I see.
Thanks for your comments, I'll bear them in mind.
Thanks again for your help.
Regards
Emma
On 9 Oct 2009, at 13:06, Shai Gluskin wrote:
> Emma,
>
> What I meant is that other authenticated users shouldn't be able to
> input php. Typically only user/1 would be able to enter php and even
> some people recommend that the php input module be turned off and
> that all php should be in the code base and not stored in the
> database.
>
> So let's say you developed the site and then handed off the site to
> content administrators, you wouldn't want those content
> administrators to be able to edit fields that have the php input
> filter turned on. That means they wouldn't have any editorial
> control over that node (other than editing the contents of the
> embedded node) without contacting you. OR, you'd have to give them
> permission to edit php filter-enabled nodes, and then you'd have the
> vulnerability.
>
> But if you are the sole editor of the site and you aren't planning
> on creating other editor/admin roles, then the snippet approach is
> fine.
>
> When developing a site it's always a good idea to think about
> maintenance of the site and the future of the site even while you
> are building the site now.
>
> I was just on a webinar with Drupal security guru Greg Knaddison.
> One of the things that his firm does is security audits of Drupal
> sites. He said that the vast majority of the problems they find are
> with custom code. I know those snippets that Luca shared are really
> basic. But one misplaced or missing semi-colon can take down a site.
> I say, when there is a reasonable alternative that can prevent you
> from writing code, even if you know how, then you've made your site
> stronger and more maintainable.
>
> Shai
>
> On Fri, Oct 9, 2009 at 7:08 AM, Emma Badger <emma.badger at chocolateteapot.net
> > wrote:
> Thanks to both of you that answered. I think option 1 is exactly what
> I want.
>
> I didn't quite understand this Shai.
> But if you take that approach you won't be able to give
> access to that node to non-dev site admins without making your site
> vulnerable.
>
> Anonymous users can see the content of the other node. Or do you mean
> that anonymous users shouldn't be allowed to input php - if so, yes
> that's how I have it set up, and it's just me that will need this
> functionality.
>
> Thanks again.
>
> Emma
>
> On 9 Oct 2009, at 12:22, luca capra wrote:
>
> > in node1 body, with php filter
> > <?php
> > $node2 = node_load(156);
> > echo $node2->body;
> > ?>
> >
> > or in template.php
> >
> > YOURTHEME_preprocess_node(&$vars, $hook){
> > $nid = 1; // the nid of node container
> > if(arg(0)==node && arg(1)==$nid){
> > $node2 = node_load(156);
> > $vars['content'] .= $node2->body;
> > }
> > }
> >
> > (then clear the cache in admin/settings/performance)
> >
> > both should works.
> >
> >
> > Emma Badger ha scritto:
> >> I would like to include the content of the body field of node 156
> in
> >> the body of another node using php. Is this easy to do?
> >>
> >> Any help would be appreciated.
> >>
> >> Regards
> >>
> >> Emma
> >>
> >>
> > --
> > [ Drupal support list | http://lists.drupal.org/ ]
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20091009/7c1d4459/attachment.html
More information about the support
mailing list