Skip to: Site menu | Main content

Drupalcon Boston: Day 3

Drupal Security - Best Practices and Process Discussion

Greg Knaddison and James Walker, both on the Drupal security team, presided over this session.

They talked about the various attack vectors that hackers utilize:
  • authentication
  • authorization
  • client-side attacks (XSS and cross site request forgery [CSRF]
  • information disclosure

They stressed the idea of being a secure user by using a strong password, avoiding unecrypted WiFi and FTP (opting for ssh/keys instead), and being really, really careful with UID 1. On the server side, using SSL for login pages (via the Secure Pages module) if desireable, if possible.

They mentioned the "single login" module that makes it so a single user can only be logged in from one IP address at a time. The httpbl module is a blacklisting module for known attackers.

They also discussed the importance to use Drupal's core APIs when writing module to leverage the security team's work to keep things secure. Specifically, the FormAPI handles virtually all security for forms to protect agains CSRF. On the submission side, avoid accessing the $_POST variable directly, as it is unsanitized. They also discussed the t() (for "translation") function for text replacement as well as using the check_plain(), check_markup(), filter_xss(), and filter_xss_admin() when appropriate. Some other good tips (relevant for Drupal 5 and 6):

//Don't
print $node->body;
//Do
print node_view($node);

//Don't
print $node->field_content_something[0]['value'];
//Do
print content_format('field_content_something', #node->field_content_something, #formatter = 'default, $node = NULL);

//Don't
db_query("SELECT * FROM {table} WHERE someval = '$user_input'");
//Do
db_query("SELECT * FROM {table} WHERE someval = '%s'", $user_input);

//Don't
db_query("SELECT * FROM {node}");
//Do
db_query(db_rewrite_sql(("SELECT * FROM {node}"));

Generally speaking if you're querying the node or taxonomy tables, use db_rewrite_sql().

They also talked about how the security team deals with issues - their mantra: "keep it quiet, then be loud", meaning they try to keep it really quiet before the fix is published, then announce the fix in order to get it out there as quickly and widely as possible. Also, they are willing to work with contributed module authors in fixing security issues in their code (providing the module has a stable release or if the dev release is really possible (think devel module).

Keynote: Brian Aker from MySql


Brian's talk was about scaling MySql. He started off by talking about what kinds of things are admins worrying about. He mentioned (among others):

  • lingering sockets ("google it and make sure you're all set")
  • keep alive ("should be off")
  • studying performance ("figure out how to quantify")
The talk was geared mainly towards MySql performance, configuration, and scaling for database admins. There wasn't a whole much of information for developers that they apply to their projects, but the information provides a great "base knowledge" of all the possibilities for MySql performance and tuning. Additional notes from his talk:
  • The "M" in MySql should stand for "memcache", a great way to increase scalability and performance.
  • DRBD is a cool way to do DB failover
  • Partitioning can help, but is not always the best solution.
  • MySql 5.1 supports row-based replication and events
  • MySql 5.1 also adds mysqlslap - a commandline tool to test against multiple database engines
  • Persistent connections are bad.
Drupal as a GIS/Mapping Platform

Jim Cramer, Brandon Bergren, Rebecca White, maintainers of the GMap and location modules presided over the session.

GIS is "showing stuff on a map".The current state of things in the Drupal GIS world involves both the GMap and location modules. The location module is responsible for storing addresses and Geocoding. The GMap module displays the spatial data on a Google Map. The current state of GIS on Drupal is not so good, but there is a plan to move forward.

Looking at the input/storage/computational side of things first, the next major release of location will have:
  • easier theming
  • greater extensibility
  • the ability to associate locations with anything
  • full revision support
  • better performance
  • the addition of Location CCK fields
  • automatic garbage collection
  • local terminology ("state" vs. "province")
  • new table structure
The Geo module is being added as a "helper" to the location module to handle advanced features such as:
  • use geospatial database features as available
  • optimized spatial queryes and computations
When used, it will take advantage of any database-specific GIS optimizations (like this for MySql). Location module will continue to handle basic spatial search and to store geospatial data. Geo module will be avilable as early as April, 2008.

Turning to the display of the geo-spatial data, the future of the GMap module will handle:
  • integration with the new Geo module
  • additional views
  • add new features as available by the Google Maps API
There is the beginning of a movement to utilize OpenLayers - an open-source, JavaScript library for displaying and managing map data. They're looking at an initial release later this year. This will be a 2nd option for the display of map data.

The "vision" for the future of Drupal's GIS modules is available.

Selling with Drupal: e-Commerce and Ubercart

Greg Bear, Ryan Szrama presided over the session.

Ubercart is one of the two leading e-commerce modules for Drupal (Ecommerce is the other one). Ryan pointed out the following benefits of Ubercart over osCommerce, a leading PHP-based open source e-commerce platform:
  • backup up by Drupal
  • easier theming
  • easier module integration
They're nearing version 1.0 - once this is done, they'll move on upgrading it for Drupal 6 which will hopefully include addtional features (Quickbooks and eBay integration to start). They're also looking to integrate with CivicCRM in the future.

The current version of Ubercart has a great set of features out-of-the-box, and there are plenty of modules for additional functionality. One of the more powerful features Ryan mentioned was "Cart Links" - the ability to add a product to a user's cart and send them to checkout page by clicking a single link from an email or blog post (and it even keeps track of clicks for marketing statistics!).

Sony and AOL are two of many companies using Ubercart. A working version of Ubercart is available. There are various import scripts available for moving a client's product catalog into the system (XML, csv, oscommerce, etc...) Other features include:
  • product attributes with price adjustments, custom SKUs
  • support for physical and downloadable products
  • flexible checkout settings
  • anonymous user ordering
  • heavily integrated with Workflow-ng module
  • AJAXy shipping quotes on checkout page
  • auto-installer - http://install.ubercart.org/
  • PayPal, authorize.net, PayFlowPro and other payment solutions supported
  • paid memberships
  • upselling (contributed module)
  • affiliates (contributed module)
  • coupons (contributed module)
Coming from someone who has used the ecommerce module, Ubercart blew me away and will definitely be used for my next ecommerce site.

Open Source, Open Resumes - Becoming and Finding Drupal Rockstars

Matt Westgate, co-founder of Lullabot, presided over this session.

Matt started off by talking about how traditional resumes don't cut it anymore in the open-source world. Companies are more and more often looking for open-source credibility when hiring.

He talked about how developers are generally lousy marketers - the best way to get your Drupal street cred is to get involved - anyway you can. To keep yourself happy, you need to "align your passions with your ones and zeros".

Continuing, how do businesses find Drupal talent? Matt mentioned:
  • looking at drupal cvs commit messages
  • drupal.org user profiles
  • groups.drupal.org
  • Drupalcons

It is also important for businesses to foster their employees' Drupal community support via Drupal meetups, attend/sponsor Drupal events, and encouraging employees to contribute back to Drupal.

Birds of a Feather: jQuery

jQuery founder John Resig talked with Drupalers about the history and future of jQuery. It was interesting to hear that since Drupal 5 was release, there have been no less than a half-dozen major releases of jQuery. The current version of jQuery is light-years ahead of the version (1.0.4) that shipped with Drupal 5 - particulary in terms of speed.

John talked about how jQuery core has gotten smaller (15kB packed) and that some of the lesser-used functionality has been moved to plugins. The big push in the jQuery world right now was the upcoming release of jQuery UI 1.5. This provides advanced UI features like date pickers, tabs, and accordians.

Submitted by michael on Wed, 03/05/2008 - 9:29pm
Filed under:

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

It is also important for

It is also important for businesses to foster their employees' Drupal community support via Drupal meetups, attend/sponsor Drupal events, and encouraging employees to contribute back to Drupal.
Law School | Nursing

Re:

The current version of jQuery is light-years ahead of the version (1.0.4) that shipped with Drupal 5 - particulary in terms of speed.
Criminal Justice | Online university | Engineering School

security slides available

The slides from the Drupal Security Session are available on my website. Thanks for helping to spread the word on security!