Book Review: Cracking Drupal & Front End Drupal

Submitted by tim ribaric on Wed, 03/17/2010 - 16:38

I guess it is fair to say that I have been struck with Drupal fever. But I wouldn't go so far as to say I've learned the chords for the Drupal Song. I have moved over the initial hump of learning curve and slowly I'm making my way down the smooth segment towards advanced-beginner. There is a lot of documentation online to get going with Drupal but it is often hit or miss. Quite often it is outdated, mostly due to how fast Drupal moves.

It's not very often I'd say this but these books do a great job introducing core Drupal ideas, far better then any single tutorial I've found online.

Front End Drupal

by. Emma Jane Hogbin & Konstantin Kafer

Don't let the title fool you. When I first saw 'Front End' I immediately thought: "this book will tell you what cornflower blue is the best for your rotating icons". Not the case here. The book is a perfect primer on generating the Template files Drupal uses to render pages. After a few chapters in you are at a point where you are staring at an empty tpl.php (pronounced tiple-fip by the locals) file and it all makes perfect sense. This book is not an introduction to what a CMS is and what an 'h' tag is. It is a serious look at what makes the front end of Drupal go. The chapter on overriding forms is particularly enlightening as it sheds light on the functionality that lives 'under the surface', (ie not findable by sifting through the standard menus) of the CMS. Oh brother, there is a lot about Drupal you don't know until you find out you don't know it. My continuing struggle to create a nice ajax powered form using Drupal is a pretty solid statement to that effect. The take away lesson I get from this is the same one that is echoed in many other Drupal resources that I've seen:

Don't hack core

It might be tough going to wrap you head around the guts of Drupal (overriding the hook API is super useful as soon as you can learn to do it properly) but for gosh sake don't ever load up a module.php file to modify it directly. That is Pandora's box right there.

Cracking Drupal

by Greg James Knoddison

Have you ever had the craving to pen-test Drupal? Well not me either but you'd think it is a good exercise right? This book sheds some light on a variety of vulnerabilities in Drupal, and guess what? Lazy programming is responsible for about 90 percent of them. The author mergers all the common Drupal exploits into a module that you can install and enumerate yourself. On a test site of course.

The usual suspects are all there: XSS, privilege escalation, and mysql-injection. For example there are no less then 3 functions available for checking and sanitizing text from inputted forms:

That is as through as it gets. The author points out some modules for automatic security testing that are well worth looking at. Coder module will really open your eyes. If nothing else this book is a great at scaring you into keeping your site patched. P'ownd