SlideShare a Scribd company logo

Drupal Development (Part 2)

Download as ZIP, PDF
Jeff Eaton
Jeff Eaton

A whirlwind tour of Drupal best practices, presented at the Chicago CMS Expo in April 2008. See http://cmsexpo.net for more information.

1 of 79
Drupal Code: Day 2 the good, the bad, and the nerdy
we join our cms, already in progress
drupal core coordinates http://www.flickr.com/photos/35104960@N00/509525572/
drupal announces events
hooks let modules listen
modules react
...and change behavior http://www.flickr.com/photos/spiicytuna/188111824
happy baby is happy
FormAPI
$form[‘foo’] = array( ‘#type’ => ‘textarea’, ‘#required’ => TRUE, ‘#title’ => t(‘Your foo’), ‘#default_value’ => “Some text…”, ‘#resizable’ => TRUE, );
$form[‘bar’] = array( ‘#type’ => ‘fieldset’, ‘#title’ => t(‘Several bars’), ‘#collapsible’ => TRUE, ‘#collapsed’ => FALSE, );
Drupal Development (Part 2)
$form[‘bar’][‘baz’] = array( ‘#type’ => ‘select’, ‘#title’ => t(‘Baz in a bar’), ‘#options’ => array( 1 => t(‘Option one’), 2 => t(‘Option two’), 3 => t(‘Option three’), ), ‘#multiple’ => TRUE, ‘#default_value’ => 2, ‘#weight’ => -10 );
Drupal Development (Part 2)
function mymodule_settings_page() { return drupal_get_form(‘mymodule_form’); } function mymodule_form() { $form[‘foo’] = array( ‘#type’ => ‘textarea’, ‘#title’ => t(‘Your foo’), ‘#default_value’ => t(‘Enter your text here…’), ); $form[‘submit’] = array( ‘#type’ => ‘submit’, ‘#value’ => t(‘Pity the foo’), ); return $form; }
function mymodule_settings_page() { return drupal_get_form(‘mymodule_form’); } function mymodule_form() { $form[‘foo’] = array( ‘#type’ => ‘textarea’, ‘#title’ => t(‘Your foo’), ‘#default_value’ => t(‘Enter your text here…’), ); $form[‘submit’] = array( ‘#type’ => ‘submit’, ‘#value’ => t(‘Pity the foo’), ); return $form; }
function mymodule_form_alter($form, &$state, $id) { if ($id == ‘yourmodule_form’) { unset($form[‘your_field’]); $form[‘my_extra_field’] = array( ‘#type’ => ‘textarea’, ‘#title’ => t(‘THIS field is mine.’, ‘#weight’ => -10, ); $form[‘#validate’][] = ‘my_validation_code’; $form[‘#submit’][] = ‘my_submit_code’; } }
function mymodule_form_validate($form, &$state) { if ($state[‘values’][‘foo’] == ‘Yo Momma’) { form_set_error(‘foo’, t(‘Show some respect.’)); } } function mymodule_form_submit($form, &$state) { variable_set(‘my_foo’, $state[‘values’][‘foo’]); }
Key Pieces • Form ID • Form Builder function • Validation functions • Submission functions • “Form State”
happy baby is happy
best practices
best practices
theme()
function build_my_page() { $output = ‘<h3>My stuff</h3>' $records = get_records(); $output .= ‘<ul>’; foreach ($records as $record) { $output .= “<li>”. $record->name .”</li>”; } $output .= ‘</ul>’; return $output; }
function build_my_page() { $output = ‘<h3>My stuff</h3>' $records = get_records(); $output .= ‘<ul>’; foreach ($records as $record) { $output .= “<li>”. $record->name .”</li>”; } $output .= ‘</ul>’; return $output; } function build_my_page() { $records = get_records(); foreach ($records as $record) { $items[] = $records->name; } return theme(‘item_list’, $items, t(‘My stuff’)); }
function mymodule_theme() { return array( 'mymodule_data' => array( 'arguments' => array( 'data' => NULL, 'option' => TRUE))); } function theme_mymodule_data($data, $option) { $output = ‘<em>’. $data->foo .’</em>’; if ($option) { $output .= ‘ <b>’. $data->bar .’</b>’; } return $output; }
use theme() for all html
db_query()
function get_my_data($username) { $sql = “SELECT * FROM users “; $sql .= “WHERE name = ‘$username’”; $results = mysql_query($sql); return $results; }
function get_my_data($username) { $sql = “SELECT * FROM users “; $sql .= “WHERE name = ‘$username’”; $results = mysql_query($sql); return $results; } function get_my_data($username) { $sql = “SELECT * FROM {users} u “; $sql .= “WHERE u.name = ‘%s’”; $results = db_query($sql, $username); return $results; }
use db_query() for all queries
l()
$link = “<a href=‘/about-us’>About!</a>”;
$link = “<a href=‘/about-us’>About!</a>”; http://www.mysite.com/node/1 http://www.mysite.com/seo-friendly-name http://www.mysite.com/subdirectory/node/1 http://www.mysite.com/index.php?q=node/1 http://www.mysite.com/fr/node/1
$link = “<a href=‘/about-us’>About!</a>”; http://www.mysite.com/node/1 http://www.mysite.com/seo-friendly-name http://www.mysite.com/subdirectory/node/1 http://www.mysite.com/index.php?q=node/1 http://www.mysite.com/fr/node/1 $link = l($title, $url);
use l() for all links
t()
function my_message($name) { return “This is your message, $name!”; }
function my_message($name) { return “This is your message, $name!”; } function my_message($name) { $values = array(‘%name’ => $name); $message = ‘This is your message, %name!’; return t($message, $values); }
use t() for all UI text
PHPDoc
/** * Prepares a structured form array by adding required elements, * executing any hook_form_alter functions, and optionally * inserting a validation token to prevent tampering. * * @param $form_id * A unique string identifying the form for validation, * submission, theming, and hook_form_alter functions. * @param $form * An associative array containing the structure of the form. * @param $form_state * A keyed array containing the current state of the form. * Passed in here so that hook_form_alter() calls can use it, * as well. */ function drupal_prepare_form($form_id, &$form, &$form_state) { // Actual codes goes here… }
drupal core 1% Code 37% Comments Jokes 62%
use PHPDoc to explain your code
Coder module
hook, don’t hack
happy baby is happy
security (never trust anyone)
SQL Injection
Drupal Development (Part 2)
Drupal Development (Part 2)
function get_my_data($name, $date) { $sql = “SELECT * FROM {users} u “; $sql .= “WHERE u.name = ‘%s’ ”; $sql .= “AND u.created > %d ”; $results = db_query($sql, $name, $date); return $results; }
function get_my_data($name, $date) { $sql = “SELECT * FROM {users} u “; $sql .= “WHERE u.name = ‘%s’ ”; $sql .= “AND u.created > %d ”; $results = db_query($sql, $name, $date); return $results; } %s, %d, %f, and %b are your friends
XSS (use output filtering)
XSS (use output filtering)
XSS (use output filtering) Use filter_xss($text)
CSRF
CSRF Use FormAPI. ALWAYS.
input formats (PHP, oh noes)
input formats (PHP, oh noes)
http://drupal.org/ writing-secure-code
happy baby is happy
Performance (It’s always the db)
cold hard cache
cold hard cache
Drupal Development (Part 2)
devel module
devel module
devel module
make your own cache
function my_module_stuff($reset = FALSE) { static $stuff; if (!isset($stuff) || $reset) { if (!$reset && ($cache = cache_get('my_stuff'))) { $stuff = $cache->data; make your } else { own cache // Do your expensive calculations here, // and populate $my_data with stuff.. cache_set('my_stuff', $stuff); } } return $stuff; }
happy baby is happy
the community
sign up. seriously.
participate
participate
Drupal Development (Part 2)
• Always use FormAPI • Follow best practices (Coder helps!) • It’s always the DB’s fault (cache) • Don’t trust anyone (sanitize output) • Participate!
happy baby is happy

More Related Content

Drupal Development (Part 2)

Editor's Notes

  6. http://www.flickr.com/photos/mhzmaster/1004261881
  9. wrote forms in straight html duplicated workflow code duplicated security code (hopefully) hack, hack, hack to customize build arrays to describe the form use standard workflow (drupal_get_form()) security is automatic THEN render to HTML.