15 of Gamasutra's best articles over the last quarter - by Kris Graft Blogs - 13 October 2016 - 3:10am
Hey readers! I’m back with another quarterly roundup of Gamasutra articles over the past quarter (July-September), as I continue my heroic efforts to excavate the best recently-published work.
Categories: Game Theory & Design

Aurelien Navarre: How to find PHP code in Drupal nodes

Planet Drupal - 13 October 2016 - 2:49am

Before Drupal 8 was released, the PHP Filter module was part of Drupal core and allowed site builders and developers to create a PHP filter text format. While very convenient for developers and themers, this was also very risky as you could easily introduce security or even performance issues on your site, as a result of executing arbitrary PHP code.

What's the use case for injecting PHP code in content anyway?

There never is a truly good reason to do so except when you're developing the site and willing to quickly test something. Most of the time, using PHP in content is either the result of laziness, lack of time (easiest to add raw PHP directly rather than having to build a custom module) or lack of Drupal API knowledge. PHP Filter is most often used to inject logic in nodes or blocks. As horrible as it sounds, there are very interesting (and smart!) use cases people have come up with and you have to respect the effort. But this is just not something acceptable as you should always advise a clear separation of concerns and use the Drupal API in every instance.

In the past 5 years I've seen things such as:

  • Creating logic for displaying ads after the body
  • Injecting theming elements on the page
  • Redirecting users via drupal_goto() which was breaking cron and search indexing
  • Using variable_set() to store data on node_view()
  • Including raw PHP files
  • ...

The list goes on and on and on.

After heated discussions, and because it was far too easy to have users shoot themselves in the foot, it was finally decided to remove the module from core for Drupal 8. But as the usage statistics for Drupal core page shows, we still have more than 1 million Drupal 6 and 7 sites out there that are potentially using it.

If you're still building Drupal 7 sites or if you're taking over maintaining a Drupal 6 or 7 site, it's thus your responsibility to ensure no PHP code is being executed in nodes, blocks, comments, views, etc.

Determine if the PHP text format is in use

So, before you start wondering if you have an issue to fix, let's find out if the PHP module is enabled.

mysql> SELECT name FROM system WHERE name = 'php'; +------+ | name | +------+ | php | +------+ 1 row in set (0.00 sec)

Now, we need to confirm there is indeed a PHP filter text format on your site. You can use the Security Review module, navigate through the Drupal UI, or query MySQL, which is preferred here and later on because it gives us the granularity we need.

mysql> SELECT format,name,status FROM filter_format WHERE format="php_code"; +----------+----------+--------+ | format | name | status | +----------+----------+--------+ | php_code | PHP code | 1 | +----------+----------+--------+ 1 row in set (0.00 sec)

When you do have the php_code text format in use on a site, then you need to start your investigation. In this post we'll focus only on nodes. But the same logic applies for all entities.

Audit all nodes with the php_code text format

In the below example we only have 4 nodes. This means php_code was used only when it was required. But it might very well be that all nodes on a site would use the PHP text filter by default. Tracking down issues would then become more challenging. Worse, removing the text filter entirely would be a very time-consuming task in terms of site auditing, as you might not know what is or isn't going to break when you do the change.

mysql> SELECT nid,title,bundle,entity_type FROM field_data_body LEFT JOIN node ON node.nid=field_data_body.entity_id WHERE body_format='php_code'; +------+-----------------------+----------+-------------+ | nid | title | bundle | entity_type | +------+-----------------------+----------+-------------+ | 7571 | Test nid 7571 | article | node | +------+-----------------------+----------+-------------+ | 538 | Test nid 538 | page | node | +------+-----------------------+----------+-------------+ | 5432 | Test nid 5432 | article | node | +------+-----------------------+----------+-------------+ | 1209 | Test nid 1209 | article | node | +------+-----------------------+----------+-------------+ Find PHP code in nodes

Now that we know which nodes have the php_code text filter set, it's easy to find out if there's indeed PHP code in them, and if it's breaking the site in any way, causing performance troubles, or introducing a security hole.

mysql> SELECT body_value FROM field_data_body WHERE entity_id=7571; +--------------------------------------------------------------+ | body_value | +--------------------------------------------------------------+ | Thank you for participating! Your results can be found below. <?php include path_to_theme()."/calculator-results.php"; ?> | +--------------------------------------------------------------+ What about Drupal 8?

As we said in the introduction, the PHP Filter module now lives in contrib instead of Drupal core. And it's very good like that, because it'll prevent the vast majority of Drupal users from installing it. Because, you know, if they can, they will.

If it does exist in production though, then you're in for the same investigation. Fortunately, with Drupal 8 it's even easier to determine when a node is using the php_code text format as you only need one MySQL query and no JOIN.

mysql> SELECT entity_id,bundle,body_value,body_format FROM node__body WHERE body_format = 'php_code'; +-----------+---------+----------------------------+-------------+ | entity_id | bundle | body_value | body_format | +-----------+---------+----------------------------+-------------+ | 1 | article | <?php echo 'hi there!'; ?> | php_code | +-----------+---------+----------------------------+-------------+ 1 row in set (0.00 sec)

Now that you know how to find PHP code in nodes, it's your job to review the code and fix it if necessary, then find ways to remove it completely (custom / contrib module? Theming?). You'll feel a sense of joy when you can switch back to Basic HTML, Markdown, or any other controlled and secure text format.

Categories: Drupal

The video game naturelness of Capcom&#039;s Dead Rising - by Jean Auguste Blogs - 13 October 2016 - 12:18am
The protagonist of Dead Rising (2006, Capcom) is a freelance photographer and photojournalist who has covered many world events, wars, and other big stories. Looking for the next big scoop, he stumbles onto some strange events happening in a small town.
Categories: Game Theory & Design

The Math of Idle Games, Part I - by Anthony Pecorella Blogs - 12 October 2016 - 11:50pm
Let's take a look under the hood of idle and incremental games! What do the cost and production formulas look like? Can you estimate progression patterns without manually playing the game? How do you balance multiple elements to keep them interesting?
Categories: Game Theory & Design

Snippets Card Game Up On Kickstarter

Tabletop Gaming News - 12 October 2016 - 2:00pm
No, Snippets aren’t just for Wednesdays and Fridays here on TGN. I mean, sure, we had a snippets post earlier. But this post is about Snippets, a new word game that’s currently up on Kickstarter. In the game, players get a note pad and pencil so they can write out their answer. Then, a Snippet […]
Categories: Game Theory & Design

Crop Instance

New Drupal Modules - 12 October 2016 - 1:42pm

Crop Entity allows you to create a context specific crop of an image. When you crop an image from e.g. a node form, a crop entity will be created and a relation from the node to the crop will be registered. Thereby you can safely reuse images from your media library and crop them specific to the content at hand. It creates a new image in the file system that will replace the original image when rendering the referencing entity.

Categories: Drupal

Upwind RPG Up On Kickstarter

Tabletop Gaming News - 12 October 2016 - 1:00pm
Ages ago, the DownFall caused the world to shatter. Now, adrift in an endless sky, various islands of solid ground hover. Between the skylands, the Kin ply their skyships in the ever-gusting wind. They do a heavy trade in lost technology, all while keeping aware of the Children of the Dark, who inhabit skylands much […]
Categories: Game Theory & Design

Fantasy Flight Games Previews The Campaign From The Corellian Conflict

Tabletop Gaming News - 12 October 2016 - 12:00pm
When playing games of Star Wars Armada, you might imagine yourself as a leader of the Rebellion or the Empire and the battle is one of but many in the ongoing civil war rocking the galaxy. Well, soon you’ll be able to actually make the game be part of a bigger whole. In The Corellian […]
Categories: Game Theory & Design

Midweek Snippets

Tabletop Gaming News - 12 October 2016 - 11:00am
Wednesday already? This week sure seems to be moving along. That’s very much not a complaint, mind you. I’ve got board game day coming up this Saturday. We’re also going to be starting our new D&D game. So I’m very much ready for it to be Saturday. But if I want to keep up this […]
Categories: Game Theory & Design Drupal 6 security update for Elysia Cron

Planet Drupal - 12 October 2016 - 10:18am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Elysia Cron module to fix a Cross-Site Scripting (XSS) vulnerability.

Users who have permission to configure this module have the ability to add insufficiently sanitized JavaScript in the "Predefined rules" field, however, this vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron".

You can download the patch for Elysia Cron 6.x-2.x.

If you have a Drupal 6 site using the Elysia Cron module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on

Categories: Drupal

Crazier Eights: Camelot Card Game Up On Kickstarter

Tabletop Gaming News - 12 October 2016 - 10:00am
Many of us are on the lookout for those quick, easy-to-explain, easy-to-set-up, easy-to-put-away, games that we can just toss in our gaming backpack and bring out whenever we’ve got some extra time on our hands, be it waiting for class or the rest of a gaming group to show up or in-between rounds of a […]
Categories: Game Theory & Design

GDC 2017 debuts talks on the state of VR and the design of League of Legends

Social/Online Games - Gamasutra - 12 October 2016 - 9:04am

Now that registration is open for GDC 2017, conference organizers would like to let you know about some of the expert talks on the art and business of game design that are taking place at the big conference next year. ...

Categories: Game Theory & Design

Luminous Ages Card Game Up On Kickstarter

Tabletop Gaming News - 12 October 2016 - 9:00am
Besides polar bears and giant robots, dragons would have to be my next favorite thing. So when I see a card game that includes Dragon Gods and has you looking to become the Dragon Master, it makes me give it all a second look. And when that card game has some really awesome artwork, that […]
Categories: Game Theory & Design

Third & Grove: Third & Grove sponsors Bay Area Drupal BadCamp 2016

Planet Drupal - 12 October 2016 - 8:43am
Third & Grove sponsors Bay Area Drupal BadCamp 2016 antonella Wed, 10/12/2016 - 11:43
Categories: Drupal

The Campaign Party Card Game Up On Kickstarter

Tabletop Gaming News - 12 October 2016 - 8:00am
This year, it seems that Americans are going to have to cast their vote for someone they’re not 100% behind. No candidate is perfectly free of skeletons in their closet, but one of them will be the new ruler of the free world (Personally, I’m in favor of Pat Paulsen). Well, now you can recreate […]
Categories: Game Theory & Design

Developing Games for Web Browsers - an Overview of Two Development Frameworks - by Chris Smith Blogs - 12 October 2016 - 7:36am
A look at a couple of applications on the web that have improved through HTML5, and how it's made making browser games easier.
Categories: Game Theory & Design

UX Review: Marvel Contest Of Champions - by Om Tandon Blogs - 12 October 2016 - 7:35am
UX analysis of how Marvel contest simplified and resurrected classic brawler genre for mobile, applying "Supermarket" psychology of real world stores to it's digital shop, creating greater engagement and leveraging monetisation!
Categories: Game Theory & Design

How Long to Spend - by Randy OConnor Blogs - 12 October 2016 - 7:35am
To lift his spirits, Randy makes a quick game about a balloon.
Categories: Game Theory & Design

Players For Hire: Games and the Future of Low-Skill Work - by Edward Castronova Blogs - 12 October 2016 - 7:34am
Automation will put many people out of work. At the same time, the F2P model will shift into a play-for-hire model. These two trends, I argue, imply that within a generation, playing games will be a primary income source for low-skill people.
Categories: Game Theory & Design

How I found a definition of games after searching for 16 years. - by Oscar Barda Blogs - 12 October 2016 - 7:34am
Finding a definition for “games” or “play” is a very perilous exercise, but a very important one. This is why despite this topic having been a dead horse for decades, I decided to beat it once more, trying to lay a new brick on the edifice.
Categories: Game Theory & Design


Subscribe to As If Productions aggregator