This document summarizes a presentation on secure Drupal coding given by Balazs Janos Tatar at the Drupal Mountain Camp 2019 conference. The presentation covered common types of vulnerabilities like cross-site scripting, access bypass, SQL injection, and discussed ways to prevent them, such as sanitizing user input, using the database API, and implementing access controls correctly. Code snippets were presented and the audience was asked to identify any issues. The goal was to help developers write more secure Drupal code.
jQuery: Tips, tricks and hints for better development and PerformanceJonas De Smet
This document provides an overview of a presentation on jQuery tips, tricks, and hints for better development and performance. The presentation covers:
1. What is jQuery and how it simplifies document traversing, event handling, and rapid web development.
2. Ten useful tips for better development, including avoiding flashing content, using Firebug's console, loading jQuery from Google Code, and writing custom filter selectors.
3. Ten performance tips such as using .find() instead of new selectors, giving selectors context, caching jQuery objects, and using event delegation.
The presentation concludes with contact information for the presenter.
- Assetic is an asset management library for PHP that allows bundling and minifying CSS and JavaScript assets.
- It defines assets that can be files, collections of files, or strings, and filters that can process asset contents.
- Assets can be loaded, merged, compressed, and cached to improve frontend performance and reduce page size.
WordPress allows plugins and themes to modify its core functionality through hooks called actions and filters. Actions allow plugins to specify functions that are executed at certain points, like before or after specific events. Filters allow functions to modify content, like text, before it is saved or output. The document discusses how a basic widget can be modified to use actions and filters to allow other code to add puppy images and warnings. This allows expanding the widget's capabilities without directly editing its code.
Reviews the basis of using JavaScript within WordPress. How to load in scripts correctly and move PHP data into JavaScripts for later use. Presented at WordCamp Las Vegas 2013
Performance and testing are just one aspect of code, to really be successful your code needs to be readable, maintainable and generally easier to comprehend and work with. This talk draws from my own experience in applying the techniques of object calisthenics and code readability, within an existing team. It will help you identify trouble areas, learn how to refactor them and train you to write better code in future projects avoiding common pitfalls.
This document discusses converting Django apps into reusable services. It begins by explaining the typical structure of a Django project with multiple apps. It then discusses some of the challenges with this monolithic structure in terms of reusability, scalability and maintainability.
The document proposes converting apps into reusable services with defined contracts for communication. It provides examples of defining API endpoints and authentication. Converting apps to services allows for improved reusability as apps can be developed and updated independently. It also enables better scalability by removing dependencies between apps.
This document provides information about a CakePHP workshop including the presenter, development environment setup instructions, and an overview of the workshop content. Some key points:
- The presenter is Walther Lalk, a CakePHP core team member.
- Instructions are provided for setting up a development environment using Vagrant or the built-in PHP server.
- The workshop will cover installing CakePHP, baking a database and entities, authentication, authorization, and using CRUD to generate basic CRUD functionality.
- Attendees will build an events application with members, events, and event attendance tracking. Security, validation, and associations between entities will be implemented.
- CRUD will be
jQuery: Tips, tricks and hints for better development and PerformanceJonas De Smet
This document provides an overview of a presentation on jQuery tips, tricks, and hints for better development and performance. The presentation covers:
1. What is jQuery and how it simplifies document traversing, event handling, and rapid web development.
2. Ten useful tips for better development, including avoiding flashing content, using Firebug's console, loading jQuery from Google Code, and writing custom filter selectors.
3. Ten performance tips such as using .find() instead of new selectors, giving selectors context, caching jQuery objects, and using event delegation.
The presentation concludes with contact information for the presenter.
- Assetic is an asset management library for PHP that allows bundling and minifying CSS and JavaScript assets.
- It defines assets that can be files, collections of files, or strings, and filters that can process asset contents.
- Assets can be loaded, merged, compressed, and cached to improve frontend performance and reduce page size.
WordPress allows plugins and themes to modify its core functionality through hooks called actions and filters. Actions allow plugins to specify functions that are executed at certain points, like before or after specific events. Filters allow functions to modify content, like text, before it is saved or output. The document discusses how a basic widget can be modified to use actions and filters to allow other code to add puppy images and warnings. This allows expanding the widget's capabilities without directly editing its code.
Reviews the basis of using JavaScript within WordPress. How to load in scripts correctly and move PHP data into JavaScripts for later use. Presented at WordCamp Las Vegas 2013
Performance and testing are just one aspect of code, to really be successful your code needs to be readable, maintainable and generally easier to comprehend and work with. This talk draws from my own experience in applying the techniques of object calisthenics and code readability, within an existing team. It will help you identify trouble areas, learn how to refactor them and train you to write better code in future projects avoiding common pitfalls.
This document discusses converting Django apps into reusable services. It begins by explaining the typical structure of a Django project with multiple apps. It then discusses some of the challenges with this monolithic structure in terms of reusability, scalability and maintainability.
The document proposes converting apps into reusable services with defined contracts for communication. It provides examples of defining API endpoints and authentication. Converting apps to services allows for improved reusability as apps can be developed and updated independently. It also enables better scalability by removing dependencies between apps.
This document provides information about a CakePHP workshop including the presenter, development environment setup instructions, and an overview of the workshop content. Some key points:
- The presenter is Walther Lalk, a CakePHP core team member.
- Instructions are provided for setting up a development environment using Vagrant or the built-in PHP server.
- The workshop will cover installing CakePHP, baking a database and entities, authentication, authorization, and using CRUD to generate basic CRUD functionality.
- Attendees will build an events application with members, events, and event attendance tracking. Security, validation, and associations between entities will be implemented.
- CRUD will be
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHP Yo...Rafael Dohms
The document provides advice and best practices for writing code that lasts over time. It discusses improving code through practices like making it more comprehensible, flexible, tested, and refactorable. Specific techniques mentioned include object calisthenics exercises like limiting indentation levels and instance variables, using first class collections, and avoiding getters/setters. The document emphasizes continuously improving code through practices like reading and sharing code with others.
The current status of the Corinna OOP proposal for the Perl programming language.
After years of design and discussion, the Perl Steering Committee has accepted the Corinna RFC (in a scaled-back initial form) for inclusion in the Perl language.
This talk gives the history of the proposal and where we're going from here.
The document introduces Assetic, an asset management library for PHP that allows developers to easily optimize frontend assets. It allows defining assets like CSS, JavaScript and image files that can then be combined, minified and cached. Filters can be applied to assets during loading and dumping to perform tasks like compilation, minification and versioning. Assets can be managed and cached for optimal performance and caching support. The library aims to provide a simple yet powerful way to manage frontend assets in PHP projects.
This document discusses various techniques for debugging and customizing SOAP requests and responses using PHP's SOAP extension (ext/soap). It covers topics like:
- Debugging SOAP calls by enabling tracing and accessing request/response data
- Adding authentication headers to SOAP requests
- Overriding the endpoint location for individual calls
- Intercepting calls to modify requests or responses
- Mapping complex XML types to PHP classes
- Setting custom XML schema types
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHPKonfRafael Dohms
As developers we write code everyday, only to frown at it a week after that. Why do we have such a hard time with code written by others and ourselves, this raging desire to rewrite everything we see? Writing code that survives the test of time and self judgment is a matter of clarity and simplicity. Let's talk about growing, learning and improving our code with calisthenics, readability and good design.
You don’t know query - WordCamp UK Edinburgh 2012l3rady
This document summarizes a presentation about querying in WordPress. It discusses:
- The main query object is stored in $wp_the_query and a reference to it is stored in $wp_query unless query_posts() is used.
- The 'pre_get_posts' action hook can be used to modify query variables and is more flexible than modifying the 'request' hook.
- When checking if a query is the main query, use $query->is_main_query() instead of comparing the objects for WordPress versions 3.3 and above.
This document contains code snippets and notes related to using PowerShell to manage SharePoint sites and lists. It includes examples of connecting to sites using PnP PowerShell and the SharePoint Online Management Shell, retrieving and updating list items, setting site properties, and debugging scripts. Links are provided to resources about PowerShell and SharePoint administration.
This document describes CakeEntity, an ActiveRecord implementation for CakePHP. CakeEntity allows entities to be returned from find() results and provides methods like save() and find() that mimic the ActiveRecord pattern. It extends CakePHP's EntityModel and can be used by extending the EntityModel class. CakeEntity provides features like loading related data through contain(), returning entities from associations like hasMany, and allowing custom entity classes to be used.
Introducing Assetic: Asset Management for PHP 5.3Kris Wallsmith
The performance of your application depends heavily on the number and size of assets on each page. Even your blazingly fastest Symfony2 application can be bogged down by bloated Javascript and CSS files. This session will give you a basic introduction to PHP's new asset management framework, Assetic, and explore how it integrates with Symfony2 for a pleasant, common sense developer experience.
Php 102: Out with the Bad, In with the GoodJeremy Kendall
In this session, we'll look at a typical PHP application, review a few of the horrible mistakes the fictional developer made, and then refactor the app according to some best practices. Along the way you might even learn a thing or two about PHP you don't already know.
This document discusses CakeEntity, an ActiveRecord plugin for CakePHP that allows models to be used like ActiveRecord objects. It provides object-based find results and allows saving data directly through entity objects. Key features mentioned include compatible usage with core CakePHP, automatic caching of related object properties, and ability to place domain logic in entity subclasses. The document suggests how to set it up and provides examples of finding, saving, and accessing entity objects.
The document discusses pagination in PHP by creating a database connection, querying the database to get the number of total records and the records for the current page based on the limit, and outputting navigation links to move between pages. Code is provided to connect to a database, get the total number of rows and rows for the current page based on the page number parameter, output navigation links and the records for the current page in a table.
Your code sucks, let's fix it (CakeFest2012)Rafael Dohms
The document discusses object calisthenics and code readability. It introduces object calisthenics as a set of simple, rhythmical exercises to achieve better object-oriented design and code quality. Some specific object calisthenics rules are presented, such as having only one indentation level per method to improve readability. The document also provides an example of refactoring code based on these principles to make it more readable and maintainable.
Nickolay Shmalenuk.Render api eng.DrupalCamp Kyiv 2011camp_drupal_ua
The document introduces the Render API in Drupal 7. It discusses how the Render API works similarly to the Form API by collecting necessary data into an array that is then converted to HTML and displayed. It describes main hooks like hook_page_build() and hook_page_alter() that can be used to add or override page elements. It also provides examples of using #theme and #arguments to theme render arrays and attach CSS/JS files.
Your code sucks, let's fix it - PHP Master Series 2012Rafael Dohms
Performance and testing are just one aspect of code, to really be successful your code needs to be readable, maintainable and generally easier to comprehend and work with. This talk draws from my own experience in applying the techniques of object calisthenics and code readability, within an existing team. It will help you identify trouble areas, learn how to refactor them and train you to write better code in future projects avoiding common pitfalls.
Leveraging the Power of Graph Databases in PHPJeremy Kendall
This document provides an overview of leveraging graph databases in PHP. It begins with an introduction to graph databases and their data model. It then discusses Neo4j, a popular graph database, and its query language Cypher. The document demonstrates connecting to Neo4j from PHP, creating and querying nodes and relationships, and provides an example of modeling content like a news feed as a graph using the LASTPOST and NEXTPOST relationships to link content in order.
The document describes how to create cascading dropdown lists for country, state, and city using PHP and Ajax. It involves:
1. Creating country, state, and city tables in a MySQL database to store the options.
2. Creating PHP files - config.php to connect to the database, index.php to display the dropdowns, and load_state_city.php to populate the state and city dropdowns using Ajax calls based on the country and state selected.
3. Using JavaScript/jQuery to make Ajax calls and populate the state and city dropdowns dynamically based on the country and state selected in the previous dropdown.
When run, index.php displays casc
The document describes how to create a CodeIgniter PHP application for adding, editing, and deleting records in a database table. It includes creating the database and table, a controller and model to perform CRUD operations, and views to display and edit data. The controller functions handle getting all records, adding, updating, and deleting via the model. The views display all records in a table and include edit/delete links, and a form to add/edit individual records by calling the appropriate controller functions.
OSGI workshop - Become A Certified Bundle ManagerSkills Matter
OSGi is great at enabling you to build your systems out of sets of bundles. In a way, your bundles are your configuration. However, this also requires you to master the identification, assembly and provisioning of all of the components that make-up your system.
* How do you hot-deploy bundles for delivery?
* Is there a simple way of bootstrapping your system with specific configurations that are easy to assemble and kick-start?
* Once your system is "out there" how can you take things one-step further and manage the provisioning remotely?
* Is there an easy way to let the user discover and deploy what he wants, when he wants it?
* How can you do all of these things using existing technologies?
Well, you've come to the right place. In this workshop we will focus on ways to manage OSGi installations. Using a simple example application, we will show you how you can:
* use Fileinstall to hot-deploy bundles into your live application environment
* take advantage of Pax Runner to create and easily bootstrap configurations of bundles
* remotely manage, provision, and audit systems in the field with Apache Ace
* provide, discover, and deploy bundles using Apache Felix OBR
The document summarizes a presentation on writing secure Drupal code. It introduces the presenter Tatar Balazs Janos and his experience with Drupal. It then covers common types of vulnerabilities like cross-site scripting, access bypass, SQL injection and how to prevent them. Examples of vulnerable code are provided and improved upon. Best practices discussed include using database queries, input filtering, automated testing and restricting permissions.
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHP Yo...Rafael Dohms
The document provides advice and best practices for writing code that lasts over time. It discusses improving code through practices like making it more comprehensible, flexible, tested, and refactorable. Specific techniques mentioned include object calisthenics exercises like limiting indentation levels and instance variables, using first class collections, and avoiding getters/setters. The document emphasizes continuously improving code through practices like reading and sharing code with others.
The current status of the Corinna OOP proposal for the Perl programming language.
After years of design and discussion, the Perl Steering Committee has accepted the Corinna RFC (in a scaled-back initial form) for inclusion in the Perl language.
This talk gives the history of the proposal and where we're going from here.
The document introduces Assetic, an asset management library for PHP that allows developers to easily optimize frontend assets. It allows defining assets like CSS, JavaScript and image files that can then be combined, minified and cached. Filters can be applied to assets during loading and dumping to perform tasks like compilation, minification and versioning. Assets can be managed and cached for optimal performance and caching support. The library aims to provide a simple yet powerful way to manage frontend assets in PHP projects.
This document discusses various techniques for debugging and customizing SOAP requests and responses using PHP's SOAP extension (ext/soap). It covers topics like:
- Debugging SOAP calls by enabling tracing and accessing request/response data
- Adding authentication headers to SOAP requests
- Overriding the endpoint location for individual calls
- Intercepting calls to modify requests or responses
- Mapping complex XML types to PHP classes
- Setting custom XML schema types
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHPKonfRafael Dohms
As developers we write code everyday, only to frown at it a week after that. Why do we have such a hard time with code written by others and ourselves, this raging desire to rewrite everything we see? Writing code that survives the test of time and self judgment is a matter of clarity and simplicity. Let's talk about growing, learning and improving our code with calisthenics, readability and good design.
You don’t know query - WordCamp UK Edinburgh 2012l3rady
This document summarizes a presentation about querying in WordPress. It discusses:
- The main query object is stored in $wp_the_query and a reference to it is stored in $wp_query unless query_posts() is used.
- The 'pre_get_posts' action hook can be used to modify query variables and is more flexible than modifying the 'request' hook.
- When checking if a query is the main query, use $query->is_main_query() instead of comparing the objects for WordPress versions 3.3 and above.
This document contains code snippets and notes related to using PowerShell to manage SharePoint sites and lists. It includes examples of connecting to sites using PnP PowerShell and the SharePoint Online Management Shell, retrieving and updating list items, setting site properties, and debugging scripts. Links are provided to resources about PowerShell and SharePoint administration.
This document describes CakeEntity, an ActiveRecord implementation for CakePHP. CakeEntity allows entities to be returned from find() results and provides methods like save() and find() that mimic the ActiveRecord pattern. It extends CakePHP's EntityModel and can be used by extending the EntityModel class. CakeEntity provides features like loading related data through contain(), returning entities from associations like hasMany, and allowing custom entity classes to be used.
Introducing Assetic: Asset Management for PHP 5.3Kris Wallsmith
The performance of your application depends heavily on the number and size of assets on each page. Even your blazingly fastest Symfony2 application can be bogged down by bloated Javascript and CSS files. This session will give you a basic introduction to PHP's new asset management framework, Assetic, and explore how it integrates with Symfony2 for a pleasant, common sense developer experience.
Php 102: Out with the Bad, In with the GoodJeremy Kendall
In this session, we'll look at a typical PHP application, review a few of the horrible mistakes the fictional developer made, and then refactor the app according to some best practices. Along the way you might even learn a thing or two about PHP you don't already know.
This document discusses CakeEntity, an ActiveRecord plugin for CakePHP that allows models to be used like ActiveRecord objects. It provides object-based find results and allows saving data directly through entity objects. Key features mentioned include compatible usage with core CakePHP, automatic caching of related object properties, and ability to place domain logic in entity subclasses. The document suggests how to set it up and provides examples of finding, saving, and accessing entity objects.
The document discusses pagination in PHP by creating a database connection, querying the database to get the number of total records and the records for the current page based on the limit, and outputting navigation links to move between pages. Code is provided to connect to a database, get the total number of rows and rows for the current page based on the page number parameter, output navigation links and the records for the current page in a table.
Your code sucks, let's fix it (CakeFest2012)Rafael Dohms
The document discusses object calisthenics and code readability. It introduces object calisthenics as a set of simple, rhythmical exercises to achieve better object-oriented design and code quality. Some specific object calisthenics rules are presented, such as having only one indentation level per method to improve readability. The document also provides an example of refactoring code based on these principles to make it more readable and maintainable.
Nickolay Shmalenuk.Render api eng.DrupalCamp Kyiv 2011camp_drupal_ua
The document introduces the Render API in Drupal 7. It discusses how the Render API works similarly to the Form API by collecting necessary data into an array that is then converted to HTML and displayed. It describes main hooks like hook_page_build() and hook_page_alter() that can be used to add or override page elements. It also provides examples of using #theme and #arguments to theme render arrays and attach CSS/JS files.
Your code sucks, let's fix it - PHP Master Series 2012Rafael Dohms
Performance and testing are just one aspect of code, to really be successful your code needs to be readable, maintainable and generally easier to comprehend and work with. This talk draws from my own experience in applying the techniques of object calisthenics and code readability, within an existing team. It will help you identify trouble areas, learn how to refactor them and train you to write better code in future projects avoiding common pitfalls.
Leveraging the Power of Graph Databases in PHPJeremy Kendall
This document provides an overview of leveraging graph databases in PHP. It begins with an introduction to graph databases and their data model. It then discusses Neo4j, a popular graph database, and its query language Cypher. The document demonstrates connecting to Neo4j from PHP, creating and querying nodes and relationships, and provides an example of modeling content like a news feed as a graph using the LASTPOST and NEXTPOST relationships to link content in order.
The document describes how to create cascading dropdown lists for country, state, and city using PHP and Ajax. It involves:
1. Creating country, state, and city tables in a MySQL database to store the options.
2. Creating PHP files - config.php to connect to the database, index.php to display the dropdowns, and load_state_city.php to populate the state and city dropdowns using Ajax calls based on the country and state selected.
3. Using JavaScript/jQuery to make Ajax calls and populate the state and city dropdowns dynamically based on the country and state selected in the previous dropdown.
When run, index.php displays casc
The document describes how to create a CodeIgniter PHP application for adding, editing, and deleting records in a database table. It includes creating the database and table, a controller and model to perform CRUD operations, and views to display and edit data. The controller functions handle getting all records, adding, updating, and deleting via the model. The views display all records in a table and include edit/delete links, and a form to add/edit individual records by calling the appropriate controller functions.
OSGI workshop - Become A Certified Bundle ManagerSkills Matter
OSGi is great at enabling you to build your systems out of sets of bundles. In a way, your bundles are your configuration. However, this also requires you to master the identification, assembly and provisioning of all of the components that make-up your system.
* How do you hot-deploy bundles for delivery?
* Is there a simple way of bootstrapping your system with specific configurations that are easy to assemble and kick-start?
* Once your system is "out there" how can you take things one-step further and manage the provisioning remotely?
* Is there an easy way to let the user discover and deploy what he wants, when he wants it?
* How can you do all of these things using existing technologies?
Well, you've come to the right place. In this workshop we will focus on ways to manage OSGi installations. Using a simple example application, we will show you how you can:
* use Fileinstall to hot-deploy bundles into your live application environment
* take advantage of Pax Runner to create and easily bootstrap configurations of bundles
* remotely manage, provision, and audit systems in the field with Apache Ace
* provide, discover, and deploy bundles using Apache Felix OBR
The document summarizes a presentation on writing secure Drupal code. It introduces the presenter Tatar Balazs Janos and his experience with Drupal. It then covers common types of vulnerabilities like cross-site scripting, access bypass, SQL injection and how to prevent them. Examples of vulnerable code are provided and improved upon. Best practices discussed include using database queries, input filtering, automated testing and restricting permissions.
The document is a presentation by Tatar Balazs Janos on writing secure Drupal code. It provides an overview of the presenter's background and experience with Drupal security. The presentation covers trends in security, types of vulnerabilities like cross-site scripting and SQL injection, and techniques for protecting against vulnerabilities such as input filtering, automated testing, and access control. It includes code examples and opportunities for audience participation through a bingo game.
This document summarizes a presentation on writing secure Drupal code. It discusses common vulnerabilities like cross-site scripting, access bypass, and SQL injection. It demonstrates how to securely code against these vulnerabilities and recommends using tools like Behat tests, security advisories, and contributing to Drupal to improve security. The presentation encourages writing secure code through sanitizing user input, using database placeholders, and following best practices.
This document summarizes a presentation about writing secure Drupal code. It discusses common vulnerabilities like cross-site scripting, access bypass, and SQL injection. It provides examples of secure and vulnerable code and recommends best practices to prevent vulnerabilities, including input filtering, access control, and automated testing. It also discusses security improvements in Drupal 8 and learning from security advisories.
This document discusses secure coding practices for Drupal. It begins with an introduction of the presenter and covers topics like cross-site scripting, sanitization, access control, SQL injection, and CSRF. Code snippets are provided and attendees are asked to evaluate if they are secure. Recommendations are given around using Drupal APIs, filtering input, and reviewing security advisories. The importance of code reviews, testing, and learning from past issues is stressed.
This document summarizes a presentation on writing secure Drupal code. The presenter, Tatar Balazs Janos, has worked with Drupal since 2007 and is active in the Drupal security community. The presentation covers trends in security vulnerabilities like cross-site scripting and SQL injection, demonstrates how to avoid vulnerabilities in code, and includes interactive exercises to test attendees' knowledge of secure coding best practices in Drupal.
This document discusses secure coding practices for Drupal. It introduces the speaker and provides an overview of common security issues like cross-site scripting, SQL injection, and access bypass. It demonstrates secure and insecure code snippets and encourages testing code. It also discusses security improvements in Drupal 8 like Twig templating and built-in CSRF protection. The document promotes learning from security advisories and gives resources for additional security-related modules.
This document discusses using PHP to build rich internet applications (RIAs). It provides examples of using PHP to return XML or JSON data to an RIA client, and using AMFPHP to transfer PHP objects directly to ActionScript clients. It recommends building PHP apps as services that can be consumed by any front-end technology, including Ajax, XAML and Flex, in order to simplify the PHP code.
Entities in Drupal 8 are classes that can represent content or configuration. The Entity API in Drupal 8 provides standardized methods for core entities and custom entities to perform CRUD operations like create, read, update, and delete. This allows entities to be managed consistently through an entity storage class and removes the need for proprietary entity functions. The Entity API also includes methods for querying entities and accessing entity properties through getters and setters.
The document discusses using the Lithium PHP framework to build a photo blog application. It provides examples of defining a Photos model to interact with photo data, building views to display and edit photos, implementing a PhotosController to handle requests and define actions, and setting routes. The model saves photo data and tags to the database. Views are used to display photo details, edit forms, and render tags as links. The controller handles index, view, add, edit and nearby location based actions. Routes are also defined, including one to directly serve photo image files.
This document discusses PHP and Rich Internet Applications (RIAs). It notes that RIAs can replace desktop applications and are the next evolution of the web. PHP can be used to build RIAs by reading in XML from a PHP backend using REST, transferring PHP objects directly to the client using JSON or AMF, or making PHP apps that serve as services for any front end like Ajax, XAML, or Flex. It also briefly mentions tools for developing Flex applications from PHP like Adobe's web compiler for Flex apps.
The document contains code snippets in PHP for working with categories and menus in Magento. It includes code to get store categories, loop through them to output the names and IDs, and generate URLs to link to the category pages. There are also code comments related to copyright and licensing for Magento.
This document discusses customizing facets in Drupal 8 using the Search API and Facets modules. It covers topics like facet plugins, building custom facet widgets and processors, and combining facets. Code examples are provided for extending facet functionality through plugins. The document encourages customizing facets to improve search experiences on Drupal sites.
Mojolicious is a real-time web framework for Perl that provides a simplified single file mode through Mojolicious::Lite. It has a clean, portable, object oriented API without hidden magic. It supports HTTP, WebSockets, TLS, IPv6 and more. Templates can use embedded Perl and are automatically rendered. Helpers, sessions, routing and testing utilities are built in. The generator can create new app structures and components.
The document provides an overview of using the Drupal database API for interacting with the Drupal database. It covers basics of db_query and dynamic queries using db_select. Key points include using placeholders in queries, working with result sets, and more advanced topics like joins, sorting, conditional statements, and query tagging. The document suggests considering the database API as an alternative to Views when custom queries or aggregated data are needed that may require complex Views configuration.
With Extbase - a new framework for extension development introduced in TYPO3 4.3 - you are able to develop with the paradigms of FLOW3 today. During this talk, you get in touch with the features of the framework to understand how it supports your development process to develop clean code cost efficient in less time. Extbase is one cornerstone for a smooth transition to TYPO3 v5, another is reusable business domain knowledge in form of Generic Domain Models available in 4.x and 5.x. The Generic Domain Models will enable you to add a Semantic Web topping.
The document discusses the Smarty template engine. It explains that Smarty separates logic from presentation, allowing for reduced overhead in templating. Smarty is described as the view component of an application and is not a full application framework or MVC framework itself. Examples are provided of common Smarty syntax like {assign}, {section}, {foreach}, and conditionals like {if} to manipulate and display template variables.
Similar to Let's write secure Drupal code! Drupal MountainCamp 2019 (20)
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
The OWASP Top 10 is a powerful awareness document for web application security, the latest version was released in 2017. It represents industry standards weaknesses that are the most critical ones in terms of their security risk.
In this talk we go into details of all its items, matching them with vulnerability types from the CWE (Common Weakness Enumeration) category system.
To understand the most common security issues and their consequences, one of the best ways is to learn about prevention.
Most of them can be remediated at a low cost if they are discovered during the development phase - in this session we're going to check Java, C, PHP, Perl and other programming languages in order to raise awareness for secure software development.
Security Awareness for Open Source Web ApplicationsBalázs Tatár
This document discusses security awareness and practices. It begins by introducing Tatár Balázs János and his background in open source. It then discusses security awareness programs for employees, organizational security structures, and easy steps small businesses can take. Subsequent sections cover security issues as "bugs", planning security from the start of projects, thinking like attackers to test security, and key security principles. The document emphasizes that stakeholders understanding security basics is important and outlines various security assessment and review methods. It closes by discussing vulnerability management, trusted sources for fixes, and the TYPO3 security team and advisories.
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
The document discusses security concepts and best practices for software development. It covers topics like security awareness training, organizational security structures, vulnerability assessments, penetration testing, and the three pillars of security - confidentiality, integrity, and availability. Security is discussed across various stages of the development lifecycle from planning to ongoing maintenance.
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
The document discusses security awareness and vulnerability management. It describes the need for security policies and education programs within organizations. It also outlines various security assessment methods like vulnerability assessments, security audits, and penetration testing. Throughout, it uses metaphors relating to bugs and butterflies to illustrate different stages of the software development and security process.
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
Tatar Balazs Janos gave a presentation on Drupal application security and vulnerability management. The presentation covered topics such as security awareness in the workplace, planning for security, web security best practices, security testing, vulnerability management, and risk assessment. The goal was to educate attendees on how to build security into the design, development, and maintenance of applications.
The document is a presentation on writing secure Drupal code given by Tatar Balazs Janos at DrupalCamp Kyiv 2019. It introduces the speaker and their background working with Drupal security. It then covers trends in security, types of vulnerabilities like cross-site scripting and SQL injection, and methods for preventing vulnerabilities like sanitizing user input and using access control properly.
This document advertises mentoring opportunities for contributing to Drupal at DrupalCon Seattle. It provides information on Birds of a Feather sessions, orientation sessions, workshops for first time contributors, and dedicated spaces for mentored and general contribution. It encourages people to get involved in different contributor roles and lists topics for contribution.
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
- The document discusses secure Drupal coding practices presented by Balazs Janos Tatar at DrupalCamp London 2019.
- It covers common vulnerabilities like cross-site scripting, access bypass, SQL injection and how to prevent them through input filtering, access control configuration, and using Drupal's database APIs.
- Tatar also discusses security improvements in Drupal 8 like Twig templates, automated CSRF protection, and content security policy compatibility. He encourages learning from security advisories and reviewing sites for vulnerabilities.
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Balázs Tatár
This document provides an overview of Drupal security from Balazs Janos Tatar, a security analyst for the European Commission. It discusses how Tatar got involved in security work, the Drupal Security Team's disclosure policy and process for security advisories. It also covers how risk is assessed for Drupal modules and lessons learned from past high profile vulnerabilities in Drupal core software. The presentation aims to help others understand Drupal security practices and processes.
This document provides information about Drupal Mentoring events at Drupal Europe, including contribution days on Mondays and Fridays, Birds of a Feather sessions on Tuesdays and Thursdays, and mentored contribution sessions throughout the week. It encourages contribution to Drupal in roles like translating, content strategy, project management, and marketing. Links are provided to resources on setting up a local development environment, a spreadsheet of contribution topics, and information for becoming a mentor.
- The document discusses quality assurance practices for Drupal projects, including tools for code quality and testing like PHP Mess Detector, PHPUnit, and Behat.
- It describes the European Commission's Next Europa CMS, which uses Drupal 7, and their standardized QA process and maintenance team.
- The presentation provides an overview of quality assurance in general and recommendations for small projects, like using standards, documentation, and clear workflows.
Quality assurance in practice - coffee meeting, January, DIGITBalázs Tatár
The document discusses quality assurance procedures for subsites on the Next Europa WCMS. It notes that feature requests and module reviews are updated and feedback is provided by the maintenance team. Development then occurs either with a starterkit or custom solution, followed by delivery to a stash repository on feature branches. A QA procedure is then followed involving a playground deployment and eventual production deployment. The document concludes by thanking the audience and providing contact details for the author.
Quality assurance in practice - brussels drupal meetupBalázs Tatár
This document discusses quality assurance practices for Drupal projects. It defines quality assurance and provides examples of tools that can be used, such as PHP Mess Detector and PHPUnit. It also discusses establishing standards, documentation, workflows and project management. The document outlines quality assurance processes for the Next Europa Drupal multisite project at the European Commission.
Quality assurance (QA) helps improve projects by implementing standards, documentation, and clear workflows. The presenter discusses QA for the Next Europa WCMS project at the European Commission, which uses a standardized QA process and tools to validate subprojects. Various code quality and testing tools are presented, including PHP Mess Detector and PHPUnit. Drupal 8 focuses on cleaning up code based on coding standards through tools like PHP Code Sniffer and the deprecated Coder module.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfUndress Baby
The quest for the best AI face swap solution is marked by an amalgamation of technological prowess and artistic finesse, where cutting-edge algorithms seamlessly replace faces in images or videos with striking realism. Leveraging advanced deep learning techniques, the best AI face swap tools meticulously analyze facial features, lighting conditions, and expressions to execute flawless transformations, ensuring natural-looking results that blur the line between reality and illusion, captivating users with their ingenuity and sophistication.
Web:- https://undressbaby.com/
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
DDS Security Version 1.2 was adopted in 2024. This revision strengthens support for long runnings systems adding new cryptographic algorithms, certificate revocation, and hardness against DoS attacks.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
4. 7th – 10th March 2019
Davos, Switzerlanddrupalmountaincamp.ch
Contributions sprint all
days.
5. 7th – 10th March 2019
Davos, Switzerlanddrupalmountaincamp.ch
Contributions sprint all
days.
Let‘s write secure Drupal code!
Tatar Balazs Janos
6. Who am I?
Tatar Balazs Janos
@tatarbj
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ EC
Active mentor @ Mentoring community group
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source day
21. Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
35. Use behat/automated tests.
<script>alert('XSS')</script>
<img src="a" onerror="alert('title')">
Check your filters and user roles.
Do not give too many options to untrusted users!
Protection against Cross Site Scripting
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
37. User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity, field, views...
Access bypass
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
45. Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
47. Unauthorized access to database resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7 SA
SQL Injection
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
53. Use always drupal Database API!
db_query with :placeholder (deprecated in D8,
in D9 will be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
54. Test IV.
Ready for some other code?
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
55. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
56. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
57. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
$pass .= $allowable_characters[$index];
}
}
?>
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
58. // custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
59. // custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
60. // custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
restrict access: TRUE
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
65. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!*
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and sessio always n ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019
67. Security advisories are for
Only stable modules
No alpha, beta, dev
d.org hosted projects
@Maintainers: If you are contacted, be supportive!
Drupal Security Team
TatarBalazsJanos
@tatarbj
DrupalMountainCamp2019