Security and the global user object

I'm starting to go through the book Cracking Drupal by Greg Knaddison. The book is written primarily for developers and seems to cover a broad range of security topics specific to Drupal and lots of topics that apply to any web-based application.

Over the next week, I'll post some of the best gems I find in the book.

In this post, I'll share an issue I've seen a few times with the global user object.

When a user is logged into a site (or even if they are anonymous), their user information is stored in a global PHP variable called $user. If you're familiar with Drupal code at all, you've probably seen the global user object called in many functions, usually something like this:

<?php function some_function() { global $user; // Do something } ?>

As a global variable, the $user object can be easily accessed by any function.


RPX Module Features

RPX is a product from JanRain that enables websites to allow their users to registers or login using their accounts from popular 3rd party social services like Facebook, Twitter and Yahoo.

I began working on the RPX Module last summer in conjunction with some of the folks at JanRain who run the RPX service. Since that time we've made substantial progress, releasing the first full version in January.

Current Features

  • Easy RPX Registration: In order to the RPX service with your site, you need to register an account on and setup an API key for your site.

Drupal Security Review

Drupal is a very secure open source project. With thousands of eyes looking at the code, security holes get patched very quickly in the core Drupal project.

However, one of the primary ways of opening up your Drupal site to security vulnerabilities is through user error. No amount of code can prevent site administrators from doing stupid things like giving anonymous users permission to edit your blog posts.

Drupal upgrade script

EDIT: The script below has been updated to work with Drush 3.x. Those using previous versions of Drush will need to edit the script appropriately. The nature of the change was to use the new Drush 3.x standard of no spaces with command names, so "drush sql dump" was changes to drush sql-dump."

Before using this script, make sure that all your contributed themes and modules are somewhere in the "sites/" directory. If they are in any other Drupal core directories, your modules and themes will be lost.

I run a handful of small Drupal sites that I can't afford to spend too much maintenance time on, but that still need to be updated with the occasional maintenance version of Drupal.

It can be quite time-consuming to manually update 4 or 5 sites each time a security release is published.

So, a couple months ago I spent an afternoon writing a shell script to automate the whole task. With a little help from Drush, it turns a 10 or 15 minute maintenance task into about 10 or 15 seconds.

Here's what it looks like.

Using drush to load a database file

Note: Updated Dec. 5, 2011 to reflect the latest changes in drush commands.

I backup databases, sometimes several times a week using drush.

$ drush sql-dump --result-file=backup.sql

(By the way, using the --result-file option instead of a redirect to prevent corrupting the charset in your data).

However, when reloading a backup I would always use the mysql command directly because drush doesn't have an import command.

Mom and baby die, then both revive

I couldn't imaging losing my wife and new baby at the same time. Then getting them both back? What an emotional roller coaster ride for the dad.

Embedded video from CNN Video

Testing a few lines of PHP

Did you ever need to test just a few lines of PHP without wanting to bootstrap your entire script or application? Try using PHP's interactive shell on the command line using the -a option.


Making long SQL output easier to read

I've been doing a ton of MySQL work lately, migrating millions of records of content to a new Drupal platform.

One problem I ran into using the MySQL command-line client was trying to read the output of columns with long text content.


Altering urls in Drupal

One of the great things about Drupal's taxonomy system is that category lists are generating automatically, just by tagging your content. The taxonomy module, creates a listing of the most recent nodes in each category using a path like taxonomy/term/23.

The Views module will allow you to override this default taxonomy listing and soup it up to your tastes.

Joining MySQL tables across multiple databases

I ran across a scenario today in which I needed to purge records from a table based on what was in a similar table in another database.

I had 2 user tables in different databases but the tables had some overlapping data.