Planet Drupal

Subscribe to flux Planet Drupal
Drupal.org - aggregated feeds in category Planet Drupal
Mis à jour : il y a 54 min 52 sec

Drupal Watchdog: VIDEO: DrupalCon Amsterdam Interview: Tom Erickson

mer, 06/05/2015 - 18:17

In Drupal Watchdog’s proprietary corner, we have a lively chat with TOM ERICKSON (CEO, Acquia), who reveals himself as a pop-music maven, Napa oenophile, and passionate proponent of diversity in the technology field, particularly among women and millennials.

Tags:  DrupalCon Amsterdam DrupalCon Video Video: 
Catégories: Elsewhere

Annertech: Let the world know: #DrupalOpenDays Ireland is fast approaching (and we're sponsoring)

mer, 06/05/2015 - 14:37
Let the world know: #DrupalOpenDays Ireland is fast approaching (and we're sponsoring)

Drupal Open Days - the largest meeting of Drupal developers, users, and enthusiasts in Ireland - is fast approaching. This year is looking like it's going to be the biggest and best one yet.

Biggest - checkout who is coming

Best - checkout the great line up of speakers

Catégories: Elsewhere

LevelTen Interactive: Five Drupal Modules That Will Save You from Mobilegeddon

mer, 06/05/2015 - 07:00

Mobilegeddon has arrived. I hope your site was one of the survivors.... Read more

Catégories: Elsewhere

flink: Take your Maps to the Max

mer, 06/05/2015 - 05:40

We’ve always loved maps. Google, Openlayers, Leaflet... bring them on!

To date, those three are the most popular engines to fetch and assemble the tiles that make up your maps and deliver them to the browser.

We love all three, and through IP Geolocation Views & Maps, we support all three.

We have a penchant for Leaflet because its code is open-sourced, well-written and from the ground up made to suit mobile. It is also extended easily. This is witnessed by the great number of handy map widgets and plugins that float about on GitHub and as module add-ons on drupal.org.

With all of these rapidly gaining popularity, we thought it might inspire if we'd show-case a number of these goodies on a single interactive map page for you to play with.

As you hover and click around we hope you become just as convinced as we are, that maps not merely constitute stylish page elements, but also enhance content navigation and reporting, in ways that cannot be achieved through menus, search boxes and spreadsheets.

The best news is that you can now click all of this together in Drupal without any coding whatsoever. To make it totally easy for you to produce a map like the one below, we've made screenshots of the complete map configuration.

And that's enough from us. Time for you to PLAY !

Produced in collaboration with RegionBound.


div#node-91 img { max-width: 250px; } File under: Planet Drupal
Catégories: Elsewhere

DrupalCon News: Developer Contest at DrupalCon!

mar, 05/05/2015 - 22:10

Are you ready to create a great shopping experience and possibly win some fun prizes? Sphere.io’s Developer Contest at DrupalCon Los Angeles is your chance. Build a working Webshop (responsive, of course!) by developing a Drupal extension that integrates Drupal 8 and SPHERE.IO. Submissions are due Monday, May 11th at 9:00pm PST!

About the Mission:

Catégories: Elsewhere

DrupalCon News: Build Lasting Connections at Women in Drupal Event

mar, 05/05/2015 - 20:55

At my first Women in Drupal event, there were approximately fifteen women gathered in the corner of a temporarily-unused DrupalCon room. We turned on the lights, circled the chairs, and talked comfortably about our work. At the time, I was a backend developer and almost always the only woman on my teams.

Catégories: Elsewhere

Lullabot: Lullabot's 7th Annual DrupalCon Party

mar, 05/05/2015 - 20:33

Lullabot's annual party has become a DrupalCon tradition – fun friendly people hanging out and having a good time. If you're new to DrupalCon, it's a great place to meet people. If you're an old-timer like most of us, it's a great place to see old friends and make new ones.

Catégories: Elsewhere

Acquia: Four Final Questions You Should Ask Your Drupal Cloud Host

mar, 05/05/2015 - 18:48

You know how when you're buying a car, and the questions just keep on coming? And the salesperson keeps making roundtrips to the manager's desk?

It's kind of like that when you're considering where to host your website. There's always time for more questions. It's one less surprise later on.

That's why I keep adding to my list.

It started, you may recall, with just five questions. A week later, I added five more. Now, before closing out this series, I've got a final four.

Ask now, avoid unpleasant surprises later. That's my motto, and it should be yours.

1. What is your level of Drupal expertise?

Acquia offers the industry's highest level of technical Drupal expertise. Our support organization is larger than most hosting companies––over 60 professionals worldwide with over 250 years of combined experience. And Acquia’s overall level of in-house Drupal expertise is unparalleled with over 150 Drupalists, including core owners, security team members, and module contributors. Furthermore, Acquia’s wealth of Drupal knowledge is being expanded continuously. Closed loop processes between our support and engineering organizations help to drive new tools and add to our Help Center, which we then share with the Drupal community.

2. If my site turns into a volcano of errors, will you proactively notify me?

Acquia monitors the health of customers’ servers, and we proactively notify customers of the nature of any issues we detect. When the problem is server-side, we mitigate it, and when the issue is caused by something on the application side, we provide recommended steps to resolve the issue (though we do not usually implement them ourselves unless the customer cannot for some reason).

Acquia also gives customers access to advanced monitoring at the application level, via partners like New Relic or features like our Uptime Monitoring tool—both of which can be used to alert customers in a self-service fashion whenever the application is suffering. If the root cause is server-related, we will notify the customer proactively, but some issues are application-only (meaning they do not trigger server health alerts on our end), so that is why we recommend that customers utilize application-level monitoring whenever possible.

3. Do you offer advanced platform analysis tools to help ensure that my application is running at its best?

Every Acquia Cloud Subscription comes with a suite of tools that make managing your Drupal sites easier than ever before. Drupal site developers, administrators, and site owners can quickly identify problems, eliminate costly mistakes, simplify processes, and improve overall site performance. Acquia’s monitoring tools analyze and measure the quality of your site based on security and performance parameters. Dozens of tests ensure your site’s conformance with best practices for security, performance, and general Drupal and web application development. Monitoring over 50 settings, these tools provide real-time analysis and proactive alerts for issues with your Drupal code and configuration. You can identify code issues and modifications fast, easily download patch files, and view needed updates at-a-glance. You’ll receive a site score to help you improve the quality of your site. You’ll get clear, actionable recommendations to help solve problems and expand your Drupal knowledge.

Acquia provides several additional tools that help you quickly troubleshoot problems with your application. The Uptime Monitoring tool monitors your site’s uptime and responsiveness. It checks your site every minute to see if it’s online and serving pages. For a developer looking to quickly and easily get visibility into a problem, log streaming is a solution that allows for easy access to information without having to download a full day’s log file. It provides real-time access to server logs from within the UI—making troubleshooting more efficient.

4. What is your uptime Service Level Agreement (SLA), and how do you ensure that you meet it?

Acquia commits to 99.95 percent platform, infrastructure, and application uptime. To ensure this, we operate monitoring services 24x7. Acquia uses the Nagios monitoring platform to provide instant access to over 50 vital real-time and historical metrics. We also maintain robust home-grown monitoring tools to ensure performance. Our team of Cloud Operations professionals is always standing by—proactively monitoring your environment and responding to critical issue alerts. With coverage in all time zones and fluency in five languages, the team is available 24x7 for critical, site-impacting issue response.

Tags:  acquia drupal planet
Catégories: Elsewhere

Drupal Watchdog: VIDEO: DrupalCon Amsterdam Interview: Cathy Theys

mar, 05/05/2015 - 18:09

CATHY THEYS (Drupal Community Liaison, Blackmesh) runs sprints. She also mentors young Drupal sprinters. Go, Cathy!

Tags:  DrupalCon Amsterdam DrupalCon Video Video: 
Catégories: Elsewhere

Drupal Watchdog: Protecting Your Drupal 8 Resources

mar, 05/05/2015 - 16:05
Article

Drupal 8 incorporates a Modular Authentication System which, given a request, attempts to identify a Drupal user by inspecting the HTTP request headers.

Authentication comes in handy when we want to restrict access to a resource in Drupal. It can be applied to any route, although the method to implement it may differ. It is most commonly used to identify requests when we are exposing data through an API from our Drupal site.

Authentication and Authorization

Imagine you are going through airport security. The security agent asks to see your ID – a passport or driver’s license, say. The act of showing your ID is what we call Authentication. In Drupal – as in almost all websites – your authentication credentials are your username and password.

Next, the security agent checks your boarding pass to verify that you are in the right place and have clearance to get on a plane. That’s called Authorization. In Drupal your role (and therefore the permissions assigned to that role) are your Authorization credentials.

To summarize: authentication means who are you?; authorization means may you proceed?.

Enjoy your flight!

Authentication in Drupal 8

In Drupal 8, Authorization is handled by the Access System and won't be covered in this article; there is an internal system to handle Authentication, so let's start with the following statement:

Thanks to the Modular Authentication System, different Authentication Providers may extract a $user out of a given $request object.

There are a few keywords in that statement. Let's dissect them briefly:

Catégories: Elsewhere

ThinkShout: Monkeying Around with D8

mar, 05/05/2015 - 11:00
Leading the Charge

I have used A LOT of email marketing service providers over the years and my opinion of them was twofold: they were all similar and none of them were particularly great. Was it possible that this was just a category of business that would never be exciting or innovative? Was I destined to be a project manager who half-heartedly recommended whatever email service provider I was using most at the time to clients?

Enter the chimp...

Despite its playful name, MailChimp made a serious shift in a category that had always had potential but lacked a champion. My first thought when I used the tool was that even if the feature set was identical to all its competitors, MailChimp’s user interface alone set it apart. But once I dug into its capabilities, I became a bona fide fan (dare I say ambassador) of the brand. From automated email workflows and slick segmentation capabilities, to the Chimpadeedoo tablet app that facilitates email sign-ups without an internet connection, MailChimp became the new king of the jungle.

Fast forward a few years, and here I am working at ThinkShout, MailChimp’s Drupal partner. We built and maintain the MailChimp Drupal module, which is used by nearly 22,000 websites.

If you are familiar with MailChimp’s motto - listen hard and change fast - (or if you just read the first couple paragraphs of this blog post), then it should come as no surprise that innovation is at the heart of MailChimp’s culture. With the release of Drupal 8 looming this Fall, MailChimp and ThinkShout saw a unique opportunity to lead the charge by porting one of the most popular email modules to be D8 compatible.

The Only Way Through it is Through it

Being a trailblazer isn’t easy, and MailChimp understood that pushing the envelope on D8 development would require an investment of time and resources. While the core MailChimp module is relatively simple, the bundled submodules are feature-rich and technically complex.

Let’s recap what the MailChimp module allows you to do:

  • Any “object” in Drupal that has an email address, say a User, Contact, or even a Comment, can be automatically subscribed to a list and segmented based on other attributes, like their zip code.
  • Display a list subscription status on an entity or a subscription form.
  • Map Drupal Data, such as name and address, to merge fields in MailChimp.
  • Create forms to allow site visitors to sign up for any Mailchimp List or combination of Lists.
  • Create Pages, Blocks, or both to display forms.
  • Create campaigns containing any Drupal entity, or entities, as content.
  • Send campaigns created in Drupal through MailChimp or Drupal.
  • View campaign statistics and email activity for all list subscribers.

Luckily, one of the greatest aspects of our partnership with MailChimp is our shared passion for recognizing opportunity in challenges and giving back to the community. With that spirit, a couple of ThinkShout engineers dove in head first with the goal of porting the majority of the popular D7 module’s features over to D8 in time for a beta release at DrupalCon LA. During the process, they realized that the available Drupal 8 documentation wasn’t keeping up with the speedy pace of D8 development. Over the course of several weeks, our engineers updated documentation and created examples to make life (or at least development) a little easier for the next developer looking to create something similar.

It’s a Sprint, Not a Marathon

With the conference approaching, it was time to call on the ThinkShout village to help put the polish on the new module. Since nine heads are better than two when it comes to user testing and QA, we scheduled a sprint to focus our engineering department on providing that critical perspective needed at the end of a large development project.

During our afternoon sprint, our engineering department ran a battery of tests (both human and automated) to document and resolve bugs. Our engineering staff has grown quite a bit recently, so the sprint also provided an opportunity for knowledge sharing about MailChimp and D8 development across the team. As a non-engineer fly on the wall, it was exciting to witness the energy at the sprint table, as bugs were closed and high-fives were thrown.

The Future is Now

So far, I’ve focused on what some of the challenges of early D8 development have been, and you’re surely wondering by now “So, what do you think about D8?” Short answer: we’re excited, and we think you should be, too.

Drupal 8 standardizes module development by enforcing PSR-4 compliant namespaces. Whereas D7 allows developers to dictate where a form or entity is placed, for example, D8 loads files in the correct path automatically. What does this mean for developers? Well, it means time saved by not having to search an entire codebase to find where the developer before you placed a form. And because this structure is more in line with general engineering practices, it will be easier for any developer to ramp up for Drupal development.

But the benefits aren’t just for developers. We are also excited about the efficiencies that will be created for our nonprofit clients. Not only do they stand to benefit from the streamlined development approach, but that shift in approach will also make it easier to find resources to maintain and enhance their sites.

Learn More About the New MailChimp Module

Come and see us at DrupalCon LA, where our very own Lev Tsypin will be giving a lightning talk about the evolution of MailChimp's support for Drupal, the basics of how the integration works, and a hint at what's to come for Drupal 8. Don’t worry if you can’t make it to the talk because we’ll also be hanging out in the MailChimp booth. And if you spot one of us (you’ll recognize us by our ThinkShout hoodies), stop us! We’d love to chat about what we’ve learned about D8 and why were are excited for its release. Also, be sure to check out past blogs we've written about our work on the MailChimp module.

Catégories: Elsewhere

Drupal core announcements: Drupal 7 core release on Wednesday, May 6

mar, 05/05/2015 - 07:39
Start:  2015-05-06 (All day) America/New_York Online meeting (eg. IRC meeting) Organizers:  David_Rothstein

The monthly Drupal core bug fix/feature release window is this Wednesday, May 6. Although there was a release just last month, it's a good time for another one, to fix a regression introduced in Drupal 7.36 that affected some sites as well as to get a few other fixes in. Therefore, I plan to release Drupal 7.37 this Wednesday.

The final patches for 7.37 have been committed and the code is frozen (excluding documentation fixes and fixes for any regressions that may be found in the next couple days). So, now is a wonderful time to update your development/staging servers to the latest 7.x code and help us catch any regressions in advance.

The primary purpose of this release is to fix a regression caused by Drupal 7.36 which caused content types on some existing sites to become disabled after the update (see the 7.36 release notes and the issue for further information). The fix is intended to work for sites that already upgraded to Drupal 7.36 (it should restore content types that were erroneously disabled) as well as for those that did not. More testing of this issue in particular is welcome.

You might also be interested in the tentative CHANGELOG.txt for Drupal 7.37 and the corresponding list of important issues that will be highlighted in the Drupal 7.37 release notes.

If you do find any regressions, please report them in the issue queue. Thanks!

Upcoming release windows after this week include:

  • Wednesday, May 20 (security release window)
  • Wednesday, June 3 (bug fix/feature release window)

For more information on Drupal core release windows, see the documentation on release timing and security releases, and the discussion that led to this policy being implemented.

Catégories: Elsewhere

DrupalCon News: Accessibility at DrupalCon

lun, 04/05/2015 - 23:49

Inclusivity is incredibly important to us at the Drupal Association. As part of our organizational value of respect, we state: “We respect and value inclusivity in our global community and strive to recognize, understand, and respond to its needs."

But we believe that actions speak louder than words, and that’s why we’re pleased that DrupalCon will be so friendly to our community members who may require assistance or have certain accessibility needs during the events.

Catégories: Elsewhere

Drupal Association News: 2015 At-Large Election Data Released

lun, 04/05/2015 - 22:35

It was just a few weeks ago that we welcomed Addison Berry as our new At-Large board director after a very eventful elections process. Almost as soon as we announced the news, we heard feedback via Twitter and the announcement blog post comments that there was strong interest in seeing the voting data. In our transparent community, it only seemed natural to share the aggregated voting data.

We agreed, but because we had not previously shared any of that data publicly, we decided to take it to the board for discussion before doing so. One thing we did NOT want to do is discourage candidates from further community participation by exposing voting data without their knowledge. So, at the 15 April board meeting, we discussed the requests.

The board members were all in agreement that sharing the data is a good thing. The one concern was that because this issue had not been raised before, we had not asked the candidates or shared with them that voting data would be shared. It was agreed that in future elections, we will inform candidates on the self-nomination page that their data will be shared. For sharing this election's data, we went back and asked candidates to opt-in to share their voting results.

So, what we are sharing this year is a first step toward broader transparency around elections data. This year, we can only share with you an image file with data obscured for candidates who did not opt-in. The file does show you the progression of the IRV voting runoff, but we recognize that an image file is not highly usable.

However, the discussion we had around sharing voting data was really informative and actually fun (I love data!). We have already developed a number of stories for the next iteration of the elections module that we deploy, and these will allow us to potentially track and share a lot more aggregate data. It would be great, for example, to know where the votes came from geographically. It would also be great to release the data in a more usable way, like a CSV file. Feel free to share what you would like to see from future elections in the comments below. Just know that we are committed to only share aggregated data and will never drill down to share how a particular voter voted.

With that, it's time to share the voting data. Remember that we use IRV voting, so the image below shows that process - getting to a candidate with more than 50% of the votes (as opposed to a simple majority). The result is that the candidates with the fewest #1 placements are eliminated in each round until one candidate has a majority. You can see the votes of candidates being transferred in each round. Things become much clearer in the end when you can see the final 5 candidates:

  • Ani Gupta
  • Anonymous
  • Enzo
  • Michael Schmid (not named, but he is the remaining candidate when the winner is declared)
  • Addison Berry (the winner!)

Thank you again for the push to share this data and we look forward to do even more in the next election:

Catégories: Elsewhere

Drupal Easy: DrupalEasy Podcast 151: Shirtless at Drupalcon (Brett Meyer and Stephanie Gutowski - Drupal Watchdog/DrupalCon Los Angeles preview)

lun, 04/05/2015 - 20:22
Download Podcast 151

Brett Meyer, Director of Strategy at ThinkShout, and Stephanie Gutowski, Community Engagement Organizer/Manager at ThinkShout, join Ted, Ryan, and Mike to talk about video games. Specifically, Dragon Age: Inquisition. Seriously - Brett and Stephanie have an article in the upcoming issue of Drupal Watchdog where they relate content strategy in web sites to content strategy in content-heavy videos games. We also focus on DrupalCon Los Angeles including what we're looking forward to, if sessions are still necessary, community vs. business networking, and if it's possible to only pack a single shirt.

read more

Catégories: Elsewhere

Acquia: Build Your Drupal 8 Team - Skills for Tech, Non-Tech, and "Bridge" Members

lun, 04/05/2015 - 19:12

Getting your hands on new technology is the best part of being a developer -- playing around with it, and trying out cutting-edge concepts is challenging.

But trying to meet deadlines with new tech, especially if you don't understand it fully? That can mean lots of late nights and weekend work when you'd rather be doing something else.

Fortunately, working with Drupal 8 builds on core skills your team already has. Augmenting their existing knowledge with additional skills to use the new functionality of Drupal 8 will help your team deliver that first project successfully.

The new release of Drupal integrates technology that's become industry-standard, so developing skills in these areas will have benefits beyond the Drupal ecosystem.

How to think about your Drupal 8 team: Tech, Non-Tech, and "Bridge."

Skills for the Tech Team Members

Even if you've worked with Drupal previously, upcoming architectural changes in Drupal 8 mean you'll need to spend some time to get up to speed.

For the tech folks, here's the bulletin: bone up on PHP, Symfony, and object-oriented development.

PHP underlies Drupal 8's event-listener, which is what makes its functionality work. Understanding PHP namespaces is important to coming up with a clean way of organizing your code modules and sub-modules.

Symfony is a PHP framework that's being incorporated into Drupal 8. It will help provide the routing, sessions and services container functionality. Features like dependency injection will help you develop reusable code.

Drupal 8 implements its fields, views, entities and nodes in an object-oriented fashion. This brings the benefits of object-oriented development, like inheritance and encapsulating functionality, but means you need to understand concepts like polymorphism. Focus on understanding key design patterns like dependency injection -- you'll want to leverage those patterns in speed-building your site.

That sounds like a lot of learning, but you don't need to become experts in all of it -- you just need to get a deep enough understanding of the concepts and how to use them to speed your Drupal 8 development.

Skills for the Non-Tech Team Members

The non-tech members of the team don't get a free pass while developers hit the books.

Everyone on the team should understand the capabilities of Drupal 8 so they know what they can reasonably ask you to develop.

Finally, your team needs a "bridge member" -- a team lead or project manager who understands both the technical capability of Drupal 8 and the needs and wants of the business to mediate when there is a conflict between them.

A bridge member who is fluent in technology and business is key to making sure project commitments are realistic and achievable, allowing you to get the project done while having weekends to yourself.

Next: We'll drill down into the technical roles and required skills your team needs for Drupal 8.

Sources:

https://www.drupal.org/drupal-8.0

http://buytaert.net/why-the-big-architectural-changes-in-drupal-8

http://www.sitepoint.com/symfony-drupal-8/

http://stackoverflow.com/questions/1068556/how-drupal-works

Tags:  acquia drupal planet
Catégories: Elsewhere

Acquia: Jumpstart Your Drupal Project with a Technical Project Manager

lun, 04/05/2015 - 17:46


Is your Drupal project stalled?

Perhaps you don't know exactly what's wrong, but for some reason the project is just stuck.

You're eager to take the next step -- if only you knew what that was. If you find yourself in this situation often enough, you might want to consider hiring a technical project manager.

What is a Technical Project Manager?

Simply put, a technical project manager is your liaison between your technical team and the non-technical people you are working with. Technical managers are familiar with technical jargon and processes, and most importantly, they understand the culture of IT professionals. Thus, they can communicate well and help motivate members of the IT team that aren't performing at their maximum capacity, help managers delegate work appropriately and jump-start project leadership.

Technical project managers do a whole host of things on any given day to help move projects into the next stage of completion. For example, they might:

  • Write emails to members of the IT team to assign tasks, check in on project completion or resolve problems.
  • Discuss the project one-on-one with technicians to make sure they are staying on track and are moving towards project completion.
  • Write status reports
  • Lead IT team meetings
  • Help technicians brainstorm solutions to severe technical problems.
How to Work With a Technical Project Manager

The key to working with a technical project manager is to communicate often about the project. Here's some specifics to keep in mind:

  • Share your vision for the project. Technical project managers are as prone to assumptions about what the project entails as other IT team members are. It's important to begin by ensuring everyone's on the same page. When the technical project manager is brought on board, have a team meeting where everybody shares what they think the project is meant to accomplish and what their role is. That way, the technical project manager understands what's needed and can make sure that everybody on the team knows what they are supposed to be doing.
  • Collaborate on a timeline. One of the biggest problems with IT projects involves timelines. It can be tempting to get sucked into side projects when researching or working on the main project, and this can push deadlines back -- especially if those deadlines aren't clear to begin with. Sit down with the technical project manager to discuss the timeline for the project, including deadlines for each step. Together, the team can come up with a timeline that feels comfortable for everybody and the technical project manager can more easily help everybody stay on task.
  • Have regular check-ins. Now that there's a technical project manager on board, IT team members can talk about technical difficulties or problems with completing their tasks as scheduled because the project manager will understand what they're talking about. Team members should get in the habit of checking in regularly with the technical project manager and sharing any concerns or technical problems that are interfering with progress.
  • Use technology for check-ins and discussion. Reporting tools should be updated, and internal social media, instant messaging and conference calls should be utilized to quickly provide status updates for each member of the team.

Bringing a technical project manager on board can help bridge the gap between IT professionals and management.

Technical project managers have an IT background as well as a management background, so they are in a unique position to help projects get off the ground and moving towards completion.

Tags:  acquia drupal planet
Catégories: Elsewhere

J-P Stacey: Unicode, accented characters, Drupal Views Data Export and Excel

lun, 04/05/2015 - 17:00

If you need to assemble listings of content in Drupal, Views is what you use. And if you need to export such a listing, into offline formats like CSV, Views Data Export is a definite contender for how to do it. However, when you open the output in Microsoft Excel, you can end up—intentionally or otherwise—learning a great deal about the internals of Unicode encoding.

Read more of "Unicode, accented characters, Drupal Views Data Export and Excel "

Catégories: Elsewhere

NEWMEDIA: How to Prevent SQL Injections in Drupal

lun, 04/05/2015 - 15:04
How to Prevent SQL Injections in DrupalDrupal is an incredibly powerful open source CMS that allows you to create, manage, and serve content. Unfortunately, so can others if you don't properly sanitize all user input in order to prevent a malicious attack! Here are some tips on how to stop one of the most common vulnerabilities: SQL injections.Motivation: Why CMS Security Matters

Regardless of whether your site is a simple blog or a top 50 web property, they all represent an investment of time, money, and creative energy. And, just like any investment of value, it’s important to secure it in order to maintain its integrity.

Now, imagine a situation where all of your hard work can be compromised from a single, well-crafted attack. As a member of the Drupal security team, I can assure you that we’re still receiving email reports every week regarding websites that were hacked from the now infamous “Drupageddon”. Notonly was such an attack possible, it was exploited worldwide within hours of the published disclosure. Of course, this is a particularly extreme example that happened to affect Drupal core. It’s far more common to find vulnerabilities in custom code written by individuals that did not have the time and/or expertise to address.

That’s the doom and gloom. Now let’s imagine a different scenario in which you can sanitize all user input to ensure that you’re protected how a user tries to interact with your website. This is exactly what we’re about to go over for one of the most common forms of attack: a SQL injection.

What is a SQL Injection?

A SQL Injection is similar to “riders” in the US Federal government. A “rider” is a somewhat frustrating legislative procedure where an unrelated provision is attached to another piece of legislation. This tactic is often used to sneak in something unpopular or controversial onto an otherwise legitimate piece of legislation.

Similarly, a SQL injection is where a legitimate operation (e.g. insert a piece of content) has a malicious instruction added to it (e.g. create a new user and give it root access).

Here is a basic example that could theoretically come from a form submission:

$user_input = “JohnDoe”; $SQL = “Select * FROM {users} WHERE username = ” . $user_input; // Resulting query = “Select * FROM {users} WHERE username = JohnDoe”;

Now most users submitting the form would cause no harm. However, it doesn’t take much for a knowledgeable individual to create a malicious payload.

$user_input = "JohnDoe"; $SQL = "Select * FROM {users} WHERE username = " . $user_input; // Resulting query = "Select * FROM {users} WHERE username = JohnDoe";

Notice that the hacker can essentially create any arbitrary command by following this pattern. All an attacker needs to do is place any arbitrary command after the semicolon and they are off to the races. And because a CMS like Drupal relies heavily on the database, an attacker is then able to change just about anything (content, users, configuration, etc).

Sanitizing Data

The key principle to follow in preventing SQL attackes is to not trust user input. Instead, all user input should be sanitized such that no additional or unintentional database changes can be introduced.

With Drupal, there are a few ways to achieve this:

  • Manually Sanitize
  • Drupal’s Database Abstraction Layer (db_query())
  • Drupal Query Builder (DBTNG)

Let’s review each.

Manually Sanitize

Even though this is the first approach we discuss, it is not a recommended approach. In this scenario you are either going around Drupal’s database abstraction layer; OR, you are creating queries as strings of text and performing your own sanitation to remove riders (e.g. additional commands appended to the end of a legitimate command) as well as changes in logic (e.g. alterations to the existing query’s logic to make it pass or fail).

The challenge here is you’re essentially replicating what Drupal provides out of the box with its database abstraction layer. Worse, if you haven’t thought through all the possible attack vectors, you may miss something important.

Bottom line, proceed at your own risk if you decide to go it alone.

Drupal Database Abstraction Layer

Here we use placeholders that properly escape portions of the user input that could add an additional payload/rider or change its intended logic. Returning to our previous example:

$user_input = “JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1”; db_query(“SELECT * FROM {users} WHERE username = :name”, array(“:name” => $user_input)); // Resulting query = “Select * FROM {users} WHERE username = ‘JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1’“;

You’ll notice a major difference in that last line. Now the user input is no longer appending a new query to the end of an existing query. Instead, Drupal is ensuring the entirety of the user input is being used where it’s supposed to be used (i.e. as a comparison to find a record within the user table). And since there is no username that matches this arbitrary SQL command, the query will return NULL. More importantly, it will do nothing more than what it was designed to do.

It’s also important to note that it is still possible to introduce vulnerabilities when using commands from the database abstraction layer. If one doesn’t use placeholders, the malicious code can be easily reintroduced. For example:

$user_input = “JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1”; db_query(“Select * FROM {users} WHERE username = ” . $user_input); // Resulting query = “Select * FROM {users} WHERE username = JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1”;

The takeaway message is to always use placeholders when passing in variables into a query regardless of if they came from user input or from the system. Not only will it ensure consistency within your code, but it will significantly reduce the risk of a SQL injection.

Drupal Query Builder (DBTNG)

One of the new features in Drupal 7 core is the introduction of DBTNG (Database The Next Generation). In this new feature, placeholders are essentially mandatory based on how they are constructed. Let’s rework the example we’ve been using:

$user_input = “JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1”; $query = db_select(‘users’, ‘u’); $query->condition(‘name’, $user_input); $results = $query->execute(); // Resulting query = “Select * FROM {users} WHERE username = ‘JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1’“;

By using DBTNG we are getting user input sanitizing out of the box (SA-CORE-2014-005 aside). And similar to using the existing database abstraction layer, this can be used to ensure a consistent, secure codebase.

Detecting Trouble Spots

Reviewing an existing codebase for vulnerabilities can be a daunting task. Luckily, the coder review module can make that process a lot easier. It scans for common patterns and flags them by severity. This includes db_query() statements that attempt to insert variables directly into the query parameter instead of using placeholders.

If you don’t already use the coder review module as part of your workflow, I can’t recommend it enough. The module also scans for other vulnerabilities (e.g. XSS), coding standards, comment standards, and more. At a minimum, it will help you keep your codebase tidy. If used consistently, it will make you a better developer!

Finally, if you ever find a potential issue in a contrib module in your CMS, please file an issue with the Drupal security team! Or, if you need help with your Drupal, don’t hesitate to contact the newmedia team for a Drupal security audit.

Catégories: Elsewhere

Drupalize.Me: Help Drupal 8 and Win!

lun, 04/05/2015 - 15:02

We're kicking off a campaign to help the Drupal 8 Accelerate Fund. If you donate $50 or more to the community fund, you have a chance to win a free annual membership and if you donate $100, you can choose a new video for us to create.

Catégories: Elsewhere

Pages