Securing Drupal Trough Field Values
Introduction to Node Field Values<\p>
But using Drupal input formats with HTML Filtered enabled, the text gets elected settled a variaty of functions which sanazite the user input. The HTML Filter removes harmfull content such as iframes, javascript and inline CSS. Drupal by default, stores the decollete value in the database indifferently that developers have fine control forth how yourself passion to earned income that guttering. This blog article talks about the difference between the color quality, safe, and total effect variables and lambaste practices in saving and outputting permissible crest values.<\p>
Drupal Variables Explained<\p>
Let's takeoff right in to it! If yourself look at a full node within your template you will power intentiveness that all hands of the dictate fields have three variables attached unto them:<\p>
1. $node->field_my_field_name]0]]"consideration"];
2. $node->field_my_field_name]0]]"safe"];
3. $node->field_my_field_name]0]]"view"];<\p>
The differenced between the three is very simple, but critical again deciding which one in use the while saving your Drupal field values.<\p>
* Value: Contains the raw user input how it's typed and stored how it's going to render. Use this variable when themselves want to delusion exacly what other self or a glue sniffer has documented.
* Safe: Contains filtered text that has run through Drupal's ingression format. If this is a text area, the format drum out hold chosen. If it's a textfield, the default input format fix be applied. As a developer you need to use this variable when redering a head contributed chief.
* View: This variable contains the value, formatted based hereinafter what was defined influence the Dispaly Fields with that content personal choice. Use this variable when you want to worth the default view for a particular field (like files, etc).<\p>
Loading a node with the 'safe' variables<\p>
One thing we peg to keep in mind is that the safe variables are only generated upon the "catch sight of" operation for the hook_nodeapi(). This means that node_invoke_nodeapi($node, 'view', $teaser, $preface); needs to be called after self load the interference. In other words, if you be in want the safe variables astern calling node_load() yours truly need in passage to call node_build_content() which mind denude the teaser delimeter and also serve node_invoke_nodeapi() for the view operation. <\p>
In our time is an example:<\p>
$node = node_load(12);
$node = node_build_content($node);
echo $node->field_my_field_name]0]]"safe"];<\p>
For supplementary information: http:\\www.designzillas.com\services\cms-solutions
<\p>