Eureka

The purpose of this article is to host, publish, and (minimally) document a simple database module. Steps are as follows:

• Create table mbAttendees in the drupal database (use this script).
• Create directory /drupal/sites/all/modules/custom/attendees and upload files attendees.info and attendees.module into directory attendees.
• Enable the Attendees Module (Administer > Site building > Modules).
• Test: Click the Add Attendee menu (link) along the left to add a new Attendee record, then click Show Attendees to see all the Attendees, including the one just added (visitors: feel free to do this!).

This topic is characteristic of our Drupal class at MATC (details below).

-- Mike Bertrand

PPS: It was pointed out at the session that it is better to insert the record like this towards the end of the module:

    //$sInsert = "Insert into {mbAttendees} (name,zip,level) values ('$name','$zip','$level')";
    //drupal_set_message($sInsert);
    //$ret = db_query($sInsert);
    
    // Do it this way to defeat SQL injection.
    $sInsert = "Insert into {mbAttendees} (name,zip,level) values ('%s','%s','%s')";
    db_query($sInsert, $name, $zip, $level);

This parries SQL injection, where a malicious or unlucky user can enter SQL particles instead of bonafide data like a name that, if engineered just right against the SQL in your code, can trick the database engine into executing unexpected or even damaging code. The parameterized version of db_query() generally reduces to the simpler version, except that certain characters like apostrophes are escaped. That way, whatever the user enters is passed on to the database verbatim, so SQL trickiness is defeated. mysql_real_escape_string() in straight PHP does much the same. The writeup at Wikipedia is enlightening.

Escaping helps even with innocuous data like O'Brien, which interacts badly with a simple SQL insert statement if the apostrophe is not escaped (' is turned into \', which the database engine takes as a simple apostrophe, stripping off the backslash).