Creating a Simple Database Module

Thu, 05/21/2009 - 13:13 — mikeb
The purpose of this article is to host, publish, and (minimally) document a simple database module. Steps are as follows:
  • Create table mbAttendees in the drupal database (use this script).
  • Create directory /drupal/sites/all/modules/custom/attendees and upload files attendees.info and attendees.module into directory attendees.
  • Enable the Attendees Module (Administer > Site building > Modules).
  • Test: Click the Add Attendee menu (link) along the left to add a new Attendee record, then click Show Attendees to see all the Attendees, including the one just added (visitors: feel free to do this!).
This topic is characteristic of our Drupal class at MATC (details below).

-- Mike Bertrand

PS: Drupal requires a web server, PHP, and MySQL (or other supported database). WAMP is a nice package providing these for Windows users (Windows - Apache Server - MySQL - PHP) and here are the directions for downloading and installing WAMP. The directions for downloading and installing Drupal itself on a local machine are here.


PPS: It was pointed out at the session that it is better to insert the record like this towards the end of the module: 
    //$sInsert = "Insert into {mbAttendees} (name,zip,level) values ('$name','$zip','$level')";
    //drupal_set_message($sInsert);
    //$ret = db_query($sInsert);
    
    // Do it this way to defeat SQL injection.
    $sInsert = "Insert into {mbAttendees} (name,zip,level) values ('%s','%s','%s')";
    db_query($sInsert, $name, $zip, $level);
This parries SQL injection, where a malicious or unlucky user can enter SQL particles instead of bonafide data like a name that, if engineered just right against the SQL in your code, can trick the database engine into executing unexpected or even damaging code. The parameterized version of db_query() generally reduces to the simpler version, except that certain characters like apostrophes are escaped. That way, whatever the user enters is passed on to the database verbatim, so SQL trickiness is defeated. mysql_real_escape_string() in straight PHP does much the same. The writeup at Wikipedia is enlightening.

Escaping helps even with innocuous data like O'Brien, which interacts badly with a simple SQL insert statement if the apostrophe is not escaped (' is turned into \', which the database engine takes as a simple apostrophe, stripping off the backslash).

Drupal Class at MATC

Sat, 05/23/2009 - 11:51 — mikeb

MATC's Drupal class takes up all aspects of Drupal Open Source development, starting with installation, configuration, and base features. Core functions and modules are addressed, including users, content types, themes, menus, and jQuery. Module development with PHP is the central topic, including with the form API against MySQL. Students should be familiar with HTML and CSS and be ready to program in PHP. This course is a general elective for the Internet Developer Certificate, but interested special students are welcome.

Class:    Drupal Development-IDC    (152-187, class #64826)
Where:    Madison Area Technical College, Truax campus
When:     Tues-Thurs, 5:30 pm - 6:20 pm (lab the previous hour)
Starts:   January 12, 2010
Ends:     May 13, 2010
Cost:     $336.75
Contact:  Mike Bertrand

Pitching Drupal

Sat, 05/23/2009 - 10:30 — mikeb

Click "Read more" for my pitch from last summer for MATC to teach a Drupal class, something we started doing in August 2008. You never know in the IT business, but events seem to have confirmed the analysis. The first thing anyone should do who really wants to know what makes Drupal tick is to view principal Dries Buytaert's video from DrupalCom last March (2009) in Washington, DC. When I saw this video, I happened to be reading Ursula Le Guin's The Dispossessed, an epic novel about self-regulating communities with themes strikingly reminiscent of those Dries' touched on.

Syndicate content