Difference between hook_boot and hook_init Drupal

hook_boot()	hook_init()
hook_boot() will executes even on cached pages	hook_init() will not executes on cached pages
hook_boot() is called before modules or most include files are loaded into memory (1.e., This hook will called while Drupal is still in bootstrap mode).	hook_init(),is called After all modules are loaded into memory.
It happens while Drupal is still in bootstrap mode.	It happens after bootstrap mode.

6 Life Lessons To Learn From Lord Ganesha

Reasons Why We Worship Ganesha First He is denoted by His elephant head, big belly, His mount and a small mouse. Ganesha epitomises wisdom and knowledge. He is the Vighnaharta or the destroyer of all obstacles. Ganesha's elephant head is the symbol of wisdom, and His long ears signify that He hears everything that His devotees say. There are many legends and stories related to Lord Ganesha which teach us a lot of things and also the fact why Lord Ganesha is the God of wisdom. Take a look at these six amazing life lessons that we all can learn from Lord Ganesha. 

1. The Sense Of Responsibility We are sure you all are familiar with the story of Lord Shiva beheading Ganesha which resulted in the elephant head of the Lord. The story teaches us that your duty and responsibility is above everything else. Lord Ganesha readily sacrificed His head in order to fulfill the responsibility which His mother gave Him. 
2. Make Best Use Of Limited Resources Most of us often crib about having limited things in life. But the story of Ganesha and Kartikeya's race teaches us how we can make the best use of limited resources that we have. As the story goes, once Lord Ganesha and Lord Kartikeya were challenged by their parents to run three times around the world. The one who completes the task would get a miracle fruit. Kartikeya left immediately on His peacock. Ganesha was in a fix as He couldn't do the same with His mouse. So, He went three times around His parents and said that they mean the whole world to Him. Thus, Ganesha earned the miracle fruit with His presence of mind and limited resources. 
3. Be A Good Listener Ganesha's ears symbolises the role of effective communication. A good listener always has a better understanding of the situation at hand. In decision-making, listening to others helps you analyse the situation from a different perspective and hence, guides you to a better solution. 
4. Power Should Be In Control Power corrupts and absolute power corrupts absolutely. The trunk of Ganesha is always rolled up in a certain manner. This suggests that He controls the power He wields. This is a lesson for us to have control on our powers and make good use of it. 
5. The Art Of Forgiveness Once Lord Ganesha was invited to a feast and He overate. While coming back the moon mocked His bulging belly and laughed. The Lord cursed the moon to be invisible. Then moon realised its mistake and asked for forgiveness. The Lord immediately forgave the moon and proclaimed that the moon would grow thinner each day and remain invisible on one day of the month. Hence we learn the art of forgiveness from the God of wisdom. 
6. Humility & Respect For Other Beings The best example of this is the Lord's ride. The huge God rides a puny mouse. It shows that the Lord doesn't discriminate and respects even the most tiny creature. This trait is extremely important for us to imbibe. Only then we can get a respectable position in life.

Usefull Git Commands

# Revert changes to modified files.

git reset --hard

# Remove all untracked files and directories. (`-f` is `force`, `-d` is `remove directories`)

git clean -fd

How to Clear Form Content in modal, while close

$('#mymodalname').on('hidden.bs.modal', function () {
$(this)
    .find("input,textarea,select")
       .val('')
       .end()
    .find("input[type=checkbox], input[type=radio]")
       .prop("checked", "")
       .end();

})
</script>

Laravel Routes

Hello Developers,

Laravel 5 Implemented routes as sepeately, previously we have in app/Http/routes.php in Laravel 4.

In Laravel 5 maintaining separate directory.

In the newer version, Laravel 5.3, we have a folder named 'routes', where we can find the following files:

• api.php
• console.php
• web.php

For this new version, the routes for your controllers, you can put inside web.php file

Detailed Information:

There is

1. routes/web.php : routes file which works similar to routes.php file where you can have your routes and all the POST routes in web.php file will be validated for the CSRF Token similar to normal Laravel Post route.
2. routes/api.php : routes file where you can have your Application's API routes, the URL will be example.com/api/ Eg. If you have route getUsers then the API URL will be example.com/api/getUsers. The most important thing to notice is POST requests to an API url will not be validated for CSRF Token.
3. routes/console.php : routes file where you can define your Artisan commands which you can run from Laravel Artisan CLI.

Codeigniter Hooks

Hook Points

The following is a list of available hook points.

• pre_system Called very early during system execution. Only the benchmark and hooks class have been loaded at this point. No routing or other processes have happened.
• pre_controller Called immediately prior to any of your controllers being called. All base classes, routing, and security checks have been done.
• post_controller_constructor Called immediately after your controller is instantiated, but prior to any method calls happening.
• post_controller Called immediately after your controller is fully executed.
• display_override Overrides the _display() method, used to send the finalized page to the web browser at the end of system execution. This permits you to use your own display methodology. Note that you will need to reference the CI superobject with $this->CI =& get_instance() and then the finalized data will be available by calling $this->CI->output->get_output().
• cache_override Enables you to call your own method instead of the _display_cache() method in the Output Library. This permits you to use your own cache display mechanism.
• post_system Called after the final rendered page is sent to the browser, at the end of system execution after the finalized data is sent to the browser.

Git Commands

This summary is not available. Please click here to view the post.

Drupal 7 SQL cheat sheet

I'm currently developing a new Drupal 7 application (technically built as a new Drupal module), and as I'm building the application, I've made notes on database queries I've made.

The approach I'm taking is to use the following Drupal SQL query functions. As you can see from the function names, there are now different Drupal functions for each query type:

• SELECT - use db_query
• INSERT - use db_insert
• UPDATE - use db_update
• DELETE - use db_delete

Note that you can also execute some of these queries with the drupal_write_record function, but I've been having problems getting that to work, so I'm using these functions instead.

Given that background, here is my Drupal 7 SQL cheat sheet, with SQL SELECT, INSERT, UPDATE, and DELETE examples.

Drupal 7 SQL SELECT example - one row returned

Here's one way to execute a Drupal 7 SQL SELECT statement with the db_query function:

$q = "SELECT * FROM {projects} WHERE id = :id AND user_id = :uid";
$project = db_query($q, array(':id' => $id, ':uid' => $uid))
           ->fetchObject();

# returns an object with fields corresponding to the names
# of your database table, which you access like
# $project->name, $project->description, and so on.

Because I'm limiting this query by the 'id' field, I know I'm only going to get one record back. (In fact it may fail to find any records, but I'm trying to keep this simple.)

As a better example of how db_query() returns an object, here's another example:

# make sure the user owns the project id
$q = "SELECT user_id FROM {projects} WHERE id = :project_id";
$result = db_query($q, array(':project_id' => $project_id))->fetchObject();
echo 'user_id is ' . $result->user_id;

As you can see, I treat $result as an object after the query, knowing that it will have a field named user_id, because that's the name of the database table field I'm asking for in my query.

Drupal 7 SQL SELECT example - multiple rows returned

Here's how you issue a Drupal 7 SQL SELECT query with db_query and handle the results when you are expecting many rows to be returned:

$q = "SELECT * FROM {projects} WHERE uid = :uid";
$result = db_query($q, array(':uid' => $uid));
foreach ($result as $row) {
  // loop through your result set, working with $row here
}

Drupal 7 SQL INSERT with db_insert

How to execute a SQL INSERT with db_insert:

$id = db_insert('projects')
    ->fields(array(
        'user_id' => $uid,
        'project_type' => $project_type,
        'name' => $name,
        'description' => $description,
        'last_updated' => $timestamp,
        'date_created' => $timestamp
    ))
    ->execute();

With a SQL INSERT like this, the db_insert function returns the value of the SERIAL (auto_increment) field, which is very nice.

Drupal 7 SQL UPDATE with db_update

How to execute a Drupal 7 SQL UPDATE with db_update:

db_update('projects')
 ->fields(array(
         'project_count_type' => $project_count_type,
         'name' => $name,
         'description' => $description,
         'last_updated' => $timestamp,
         )
 )
 ->condition('id', $id)
 ->execute();

Drupal 7 SQL DELETE with db_delete

How to execute a Drupal 7 SQL DELETE with db_delete:

db_delete('projects')
  ->condition('id', $id)
  ->execute();

Drupal 7 SQL cheat sheet - Summary

As you have seen, you use these Drupal 7 functions for the corresponding query types:

• SELECT - use db_query
• INSERT - use db_insert
• UPDATE - use db_update
• DELETE - use db_delete

I hope these Drupal 7 SQL query examples have been helpful. I'll try to keep updating this cheat sheet as I learn more.

How to Prevent Forms from Submitting Twice when a User Reloads the Page?

A CSRF token will handle this issue for you. If you have a check on the form, the token will stop the user from submitting twice without reloading the form before, since it will be a one-time use token.

Another way to prevent people from accidentally submitting twice is to simply gray out the button with javascript once the user clicks on it. This method is not for security reasons but rather for user experience, as it will help users understand the page is loading and they won’t have to click again to end up seeing your one-time use token error.

The Update: 10 Most Critical Drupal Security Risks on Drupal 8

The 10 most critical Drupal security risks:

1. SQL Injection
2. Cross Site Scripting (XSS)
3. Authentications and sessions
4. Insecure direct object references
5. Cross Site Request Forgery (CSRF)
6. Security misconfiguration
7. Insecure cryptographic storage
8. Failure to restrict URL access
9. Insufficient transport protection
10. Unvalidated redirects

1. SQL Injection

You shouldn't use data that you don't trust (as a feed, a user input, another database, etc) directly in a database query without escaping it. This has been possible in Drupal 7 using functions that are now deprecated in Drupal 8.

db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']);

Even though deprecated functions in Drupal 8 are available for us to use, we should be avoiding them. They are included only to allow legacy code to work more easily on Drupal 8.

Instead you should use the Drupal 8 object oriented method of building a query. In the example below, the $name variable will be sanitised, but there won’t be any user access permissions checked automatically.

$query = $connection->select('table', 't') ->fields('t', array('foo')) ->condition('t.name, $name);

If you need to include dynamic table names in your query, you should use escapeTable()

2. Cross Site Scripting (XSS)

XSS enables attackers to inject client-side scripts into web pages in order to carry out malicious actions. A large proportion of security vulnerabilities on web applications are XSS, so it makes sense to understand them and avoid them.

You should always escape the variables you send to the output if they come from a non trusted source, like the parameters of a URL. For example, this code is insecure:

print $_GET['id'];

It's also very common to see code like this, specially in custom themes:

$output .= $node->title;

The problem in the code above is that Drupal doesn't usually filter the user input when a node is saved. So the user could save malicious code in the title and then it will be printed without any kind of filtering.

One more obvious mistake is giving full HTML permissions to users who aren’t trusted, or allowing use of unsafe tags as <script>.

So, what can you do?

Luckily, the Twig templating engine that Drupal 8 uses now sanitises all variables by default. Ideally, all your HTML output should be from Twig templates.

Drupal also includes other API functions that you should use where appropriate. The Drupal 8 security documentation recommends the following functions:

• Use t() and \Drupal::translation()->formatPlural() with @ or % placeholders to construct safe, translatable strings.
• Use Html::escape() for plain text.
• Use Xss::filter() for text that should allow some HTML tags.
• Use Xss::filterAdmin() for text entered by a admin users that should allow most HTML.

• Use Drupal.t() , Drupal.formatPlural() in JavaScript.

3. Authentications and sessions

You need to deal with these issues:

• Weak password storage and account management
• Session hijacking / fixation
• Lack of session timeout / logout

Luckily, Drupal has good solutions for these built in.

• Like Drupal 7, Drupal 8 stores passwords in the database in hashed form. This means that anyone who gets access to the database does not get access to user’s passwords.
• In Drupal 8, the user’s session data is also stored in the database in hashed form. This means sessions can’t be hijacked by anyone with access to the database.

4. Insecure direct object references

It’s possible to load a node without checking that the user has access to it. For example, this will load the node a node with a certain id:

$node = \Drupal\node\Entity\Node::load($nid);

The Drupal 8 approach is to use $node->access($operation) to determine if the user has permission to perform a particular operation on the node.

When using Views, sometimes we don't make sure the user has access to nodes. One common issue is forget to add "published = Yes" to the view filters.

5. Cross Site Request Forgery (CSRF)

Below is an example of an image tag that could be added by any user who has permission to enter full HTML. When a user loads the page with this tag they will be logged out.

<img src="http://example.com/user/logout" />

It would be possible to delete content in the same way:

<img src="http://example.com/node/12/delete" />

However, in this case Drupal always asks "Are you sure you want to delete...?" when you try to delete an item to mitigate the risk of this happening.

This is an illustration of why it’s important to grant the ability to use Full HTML only to your trusted users. It’s also important that we use the Drupal API to achieve what we need wherever possible. The Form API includes input validation and security features that will mitigate the risk of a CSRF attack. For example, you should always make sure that you have a confirmation form for any critical custom operations (such as deleting content) so that nothing bad can happen if it’s linked to directly.

6. Security misconfiguration

Secure server

• Make sure that your file permissions[https://www.drupal.org/node/244924] are appropriate to prevent unauthorised file access.
• Control the maximum POST size and maximum file upload size by settings these in the php configuration on your server. Without this, attackers are able to upload large files or send large POST requests to use up system resources.
• FTP is a vintage technology and was not designed to be secure. It includes a list of vulnerabilities that are well documented HERE. Use a version control system like git or at the very least SSH / SCP to get files onto your server.
• Once you’re using SSH / SCP, consider using keys instead of passwords. This is an easier, more secure and more reliable way of signing into your server.

• Keep your operating system up to date. Common Linux distributions will have an update system that will prompt you to do this.
• Don’t have unnecessary applications running on a server. The more applications you have, the more software you’ll need to keep updated and the more likely it is that one of them will expose a security flaw.

Secure Drupal

• Is your admin password strong enough? Use a password tool such as KeePass or LastPass to generate a secure password that you don’t use on any other sites and to keep track of all your passwords.
• Double check all the "administer *" permissions and make sure they’re only assigned to trusted user roles. The "Administer text formats and filters" permission can allow a user to take control of a site.
• Use Update module and keep track of the security news. Security updates are made on Wednesdays.

7. Insecure cryptographic storage

You may find that you develop custom modules that need to store sensitive data. There’s no native way in Drupal to do two-way encryption (i.e. to encrypt data that you’ll want to decrypt again later). If your database or a backup copy of your database is accessed, then you could be exposing sensitive data.

There’s a contributed module called Encrypt which provides an API you can use to encrypt the data you need to.
 

8. Failure to restrict URL access

If your custom module implements custom routing using Drupal 8’s new routing system, make sure that access permissions to your URLs you create are set properly. In Drupal 8, routing is done with YAML configuration. For example, the following would allow anyone who can access content on your site to access the path /example/settings.

example.name: path: '/example/settings' defaults: _controller: '\Drupal\example\Controller\ExampleController::content'requirements: _permission: 'access content'

Make sure that this is what you want and if it isn’t, check out the routing documentation to see how to achieve the access settings you need.

9. Insufficient transport protection

Tools like Wireshark allow you to analyse network traffic on the network you’re connected to. Using such a tool, a person connected to the same Wifi network as you in your office or in a coffee shop can see any unencrypted data you’re sending or receiving.

Configuring your server to allow access to your Drupal site over an HTTPS connection will allow your users to visit your site securely. You’ll require an SSL certificate that allows a user’s browser to confirm that the login page is not a forgery and it encrypts the username and password when it’s sent over the network. This prevents malicious people from stealing your login details.
 

10. Unvalidated redirects

The original security blog post contained unvalidated redirects as a separate security issue. However, we consider that this is now really a combination of the issues discussed under point 5: Cross Site Request Forgery, so won’t go into this further here.

Having covered what we consider may be the common pitfalls in Drupal 8 security, it’s important to remember that Drupal is one of the most secure content management systems available and Drupal 8 is its most secure version yet. We’d recommend you keep the points mentioned here in mind as you dive into Drupal 8. If you’ve already built one or more Drupal sites you should now have a basis for a security audit when you review your code. Above all, stay safe and stay secure!

Source: http://www.cameronandwilding.com/blog/edward/update-10-most-critical-drupal-security-risks-drupal-8

Drupal Console commands

$ drupal list Drupal Console version 0.6.5 Available commands: cr Rebuild and clear all site caches. drush Run drush from console. help Displays help for a command list Lists commands self-update Update the console to latest version. cache cache:rebuild Rebuild and clear all site caches. config config:debug Show the current configuration. container container:debug Displays current services for an application. generate generate:command Generate commands for the console. generate:controller Generate & Register a controller generate:entity:config Generate a new "EntityConfig" generate:entity:content Generate a new "EntityContent" generate:form:config Generate a new "ConfigFormBase" generate:module Generate a module. generate:plugin:block Generate a plugin block generate:plugin:imageeffect Generate image effect plugin. generate:plugin:rest:resource Generate plugin rest resource generate:service Generate service migrate migrate:debug Display current migration available for the application migrate:execute Execute a migration available for application module module:debug Display current modules available for application module:download Install module or modules in the application module:install Install module or modules in the application module:uninstall Install module or modules in the application router router:debug Displays current routes for the application router:rebuild Rebuild routes for the application

Source : http://enzolutions.com/articles/2015/01/25/what-is-drupal-console-for-me/