[support] PHP inside nodes?
Daniel Carrera
daniel.carrera at theingots.org
Fri Jan 29 23:48:22 UTC 2010
I want to make a form that points to a non-Drupal PHP script, but I want
to make reasonable efforts to ensure that the user is logged into Drupal
and that I record the Drupal user id when he submits the form.
I need PHP to get the Drupal user id.
I'm struggling to find a secure way to send the data. The data is not
secret, I just don't want the Drupal user id to be forged. So far what I
have in mind is to take the HMAC of the Drupal user id and a timestamp:
<?
global $user;
$data = ($user->id) . ':' . time();
$hmac = hash_hmac('sha256', $data, 's3kr3T');
?>
Then the receiving script can check that the timestamp is recent and the
data string and hmac match.
In practice, this should be enough, but I would still prefer to use
something that didn't reply on an expiring timestamp.
Anyways, this is actually going on a tangent. Even if I don't use any
HMAC at all, I still need Drupal just to get the Drupal user id.
Cheers,
Daniel.
Michael Scappa wrote:
> Pretty sure it has been this way for some time. It isn't something you
> want enabled unless you have a reason.
>
>> On Jan 29, 2010 5:58 PM, "Daniel Carrera"
>> <daniel.carrera at theingots.org <mailto:daniel.carrera at theingots.org>>
>> wrote:
>>
>> Yeah. Thanks for the help anyways.
>>
>> The fact that the PHP module is disabled by default must be a new
>> feature/bug.
>>
>> Cheers,
>> Daniel.
>>
>>
>>
>> Marty Landman wrote:
>> > Sorry I didn't read that right.
>> >
>> > At 05:28 PM 1/29/2010, you wrote:
>> >> E...
>>
More information about the support
mailing list