Securing Drupal Node Field Values

We want to get to know you, let’s do business.

form ID: *

Name: *

How can we help?:

Phone: *

Email: *

Please describe your project: *

Page:

User IP:

The user IP address.

CAPTCHA

This question is for testing whether you are a human visitor and to prevent automated spam submissions.

                  ___                _                 
   __ _   _ __   / _ \   _ __ ___   | |__    _ __ ___  
  / _` | | '__| | (_) | | '_ ` _ \  | '_ \  | '_ ` _ \ 
 | (_| | | |     \__, | | | | | | | | |_) | | | | | | |
  \__, | |_|       /_/  |_| |_| |_| |_.__/  |_| |_| |_|
  |___/

Enter the code above: *

Enter the code depicted in ASCII art style.

5/18/11

Introduction to Node Field Values

When using Drupal input formats with HTML Filtered enabled, the text gets passed through a variaty of functions which sanazite the user input. The HTML Filter removes harmfull content such as iframes, javascript and inline CSS. Drupal by default, stores the raw value in the database so that developers have fine control on how they want to output that variable. This blog article talks about the difference between the value, safe, and view variables and best practices in saving and outputting safe node values.

Drupal Variables Explained

Let's jump right in to it! If you look at a full node within your template you will notice that all of the text fields have three variables attached to them:

$node->field_my_field_name[0]["value"];
$node->field_my_field_name[0]["safe"];
$node->field_my_field_name[0]["view"];

The differenced between the three is very simple, but critical when deciding which one to use when saving your Drupal field values.

Value: Contains the raw user input as it's typed and stored how it's going to render. Use this variable when you want to show exacly what you or a user has entered.
Safe: Contains filtered text that has run through Drupal's input format. If this is a text area, the format can be chosen. If it's a textfield, the default input format will be used. As a developer you should use this variable when redering a user contributed field.
View: This variable contains the value, formatted based on what was defined in the Dispaly Fields for that content type. Use this variable when you want to use the default view for a particular field (like files, etc).

Loading a node with the 'safe' variables

One thing we have to keep in mind is that the safe variables are only generated upon the "view" operation for the hook_nodeapi(). This means that node_invoke_nodeapi($node, 'view', $teaser, $page); needs to be called after you load the node. In other words, if you need the safe variables after calling node_load() you need to call node_build_content() which will remove the teaser delimeter and also call node_invoke_nodeapi() for the view operation.

Here is an example:

$node = node_load(12);
$node = node_build_content($node);
echo $node->field_my_field_name[0]["safe"];

Designzillas Team

We are a full service Orlando web design agency comprised of 17 digital masterminds that are passionate and experienced. Learn about our orlando web design services.

We want to get to know you, let’s do business.