1) Add your information to the “Connection Properties” Pane as you normally would.

2) Click on the “Advanced” pane and check the box next to “Use socket for localhost connection.”

3) Then for the “Socket File Path” field type the following path.

/Applications/MAMP/tmp/mysql/mysql.sock

The “Advanced” Pane should now look like this:

Click “OK” and you should be all set.

I hope this helps. Please feel free to make comments.

To get Drupal 6 to do this, I am creating a custom module. One of the things I have learned about creating a custom module in Drupal 6 is the implementation of the module’s “install” file.

If you create a module named say,  my_module.module then the module’s install file name would be  my_module.install and will reside in the directory named my_module located at….

my_site/sites/all/modules/my_module

Drupal 6 Module Install File Documentation

The  .install file will be run by Drupal 6 the 1st time my_module has been enabled. The my_module.install file will then be used to run setup procedures as stipulated by your module. The most common task for the my_module.install file to perform is creating database tables and fields. There is no special syntax for the install file. It is simply a PHP file with a .install extension to properly identify it to the Drupal 6 platform.

There is special function used in the .install file called hook_schema(). Where hook would be replaced by the name of your module. For example, if  the module you create is named my_module, then you would create a PHP file and name it my_module.install. Inside that file you will create a function named  my_module_schema(). The my_module_schema() function is used to create arrays representingthe database tables you wish the module to create in the Drupal database. You can see how this works here.

Why do it this way?

Once you build the Drupal API Schema there is no more need for  separate CREATE TABLE or ALTER TABLE statements on each database. As a module developer, you only need to create a schema structure and/or use the Drupal Schema API functions, and Drupal takes care of the rest. This greatly simplifies  writing install and update functions.

This way of creating the module install files also allows for support in multiple database platforms.

According to Drupal’s Blog this also allows for “Several advanced capabilities, such as incremental database updates, a simple and consistent CRUD API, form scaffolding, simpler CCK and Views, schema and data validation, become much easier to implement in future enhancements.”

Schema Data Structure Documentation by Drupal

Here is a screen shot of the new back end.

I have also been busy learning the Drupal platform. AS I become more knowledgeable there will be posts and perhaps a special section on this blog devoted to cool new drupalistic methods and problem solving.

AS always, I invite you to leave a coment or sugestion or critisizm.

What Happens With SQL Injection

By passing an unexpected string of code into a user input, such a form, an attacker send damaging code that causes an otherwise good query to go haywire. For example:

unprotected query is vulnerable

The above snippet of code works as long as users put in the expected information. An attacker, will instead, make clever use of a few extra characters. You likely know by now that SQL requires a semi-colon at the end of each query. PHP automatically adds it in if you omit it. Because of this, the attacker, by closing the string and using the closing parenthesis to finish the query followed by a semi colon, can add an additional query to drop the table.

This is what we in the world of secure web development refer to as a ‘bad thing’!
Scary isn’t it? Attackers have used this method to not only drop tables and destroy records, but also to retrieve highly sensitive information.

How to Protect Against SQL Injection

OK, after that scary bit of information, you’ll be glad to know that protecting yourself is really not all that hard. The hard part is always remembering when and where to do it.

Protecting against SQL Injection is a simple matter of calling a PHP function that renders data safe ( or cleansed ) for use in a query. There are a few methods for cleansing user input in PHP depending on the PHP extension you are using. We will be discussing the mysql extension.The name of the function is:
mysql_real_escape_string(). Notice in this snippet how it is used:

How to protect again SQL Injection

See how easy it is?  Just take the user input (in this case a post ) and pass it through the mysql_real_escape_string() function, (as shown on line 7 ). Then use the “cleansed” variable in the query ( as shown on line 9 ).

It is so easy to protect against this, yet it is often overlooked or forgotten. SO remember to use mysql_real_escape_string() to cleanse your input to help guard against SQL Injection.

There is more to learn and be discussed so feel free to stop back or drop me any suggestions or tips to share.