Below is the drupal custom modules,
can u please confirm it,
is it correct way of developing the custom module,
else please advise,
<?php
/**
* Implementation of hook_form_alter().
*/
function register_form_alter(&$form, $form_state, $form_id) {
switch($form_id) {
case 'user_register': // the value we stole from the rendered form
// your customizations go here
// drupal_set_message('Hey, we\'ve tapped into this form!');
$form['account']['bharani'] = array(
'#title' => 'bharani',
'#type' => 'textfield',
'#description' => t(' bharanikumar custom field '),
);
$form['#submit'][] = 'register_submit_handler'; // Add this
break;
}
}
function register_submit_handler($form, &$form_state) {
$value = $form_state['values']['bharani'];
$mail = $_POST['mail'];
$query = "UPDATE users SET language='$value' WHERE mail='$mail'";
db_query($query);
}
?>
I will not answer the “correct way of developing the custom module” part of the question, but here is a note about the way you’re doing your SQL query :
You are using this :
With this, your code is subject to SQL-injections : no matter what the users will send into
$_POST['mail'], it’ll endup in the query, un-escaped !With Drupal and
db_query(), you should, instead, use something like this :This way, Drupal will take care of the escaping, protecting you from SQL-injections.