Home » Archive

ARCHIVE: Converting 4.6.x modules to 4.6.10

Last modified: April 15, 2009 - 00:44

Drupal 4.6.10 saw the addition of a new form field; token, to protect against cross site request forgeries. The token ensures that forms submitted to the site are actually requested first.

The token will be added to all forms generated via the form function.

There is a potential issue surrounding the form_token for forms that are not defined via the form() function.

Raw HTML forms

Forms that are not created via the function form will (nearly) always fail validation. You need to manually add a form token.

<?php
// Fails validation
$output .= '<form method="post" action="'. url('comment') ."\"><div>\n";
$output .= theme('comment_controls', $threshold, $mode, $order, $comments_per_page);
$output .= form_hidden('nid', $nid);
$output .= '</div></form>';
?>

Call form_token() to insert the token right before the closing tag.

<?php
$output .= '<form method="post" action="'. url('comment') ."\"><div>\n";
$output .= theme('comment_controls', $threshold, $mode, $order, $comments_per_page);
$output .= form_hidden('nid', $nid);

// Add a form token before the closing form tag.
$output .= '</div>' . form_token() . '</form>';
?>

If you want your module to keep functioning on earlier Drupal 4.6 versions, check whether form_token() exists with function_exists('form_token'):

<?php
$output .= '<form method="post" action="'. url('comment') ."\"><div>\n";
$output .= theme('comment_controls', $threshold, $mode, $order, $comments_per_page);
$output .= form_hidden('nid', $nid);
$output .= '</div>';

// Add a form token before the closing form tag.
if (function_exists('form_token')) {
  $output .= form_token();
}
$output .= '</form>';
?>

» Login or register to post comments

Updating Snippets containing Forms

oc - December 28, 2006 - 01:21

This post does not mention it, but the problem can also affect html forms contained in PHP code within a Drupal page.

In this case, the fix is a bit easier; after you upgrade to 4.6.10, you just have to add the following PHP code right before the end of form tag:

<?php
echo(form_token());
?>

and then change the page's input format to PHP, and finally add manual line breaks to the page if you are changing from an input format that put them in automatically.

One thing I noticed was that the form token was not needed for an anonyomous user; it only was required once the user had logged in to the site. Why is that? It seems to me that if tokens are required it should be required all the time not some of the time.

-rich

Organizers' Collaborative -- Free Software for Activist Groups
http://organizerscollaborative.org and http://organizersdb.org

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.