Post installation

I have drupal 4.7.3 on a dedicated server. I edit the php.ini to

session.save_handler=user
(default is files)

because of the install instructions.

http://drupal.org/requirements

"PHP needs the following configuration directives for drupal to work:
session.save_handler: user"

this breaks phpmyadmin.

in fact, I just checked my site on opensourcehost.com, session.save_handler was set to files.

With 4.6, when you validated a form in a module you were able to change the value.

For instance, if you had a field $node->widgets, with the validation function you could also change the value, for instance from upper to lower case, and you could even set the value of $node->body and $node->teaser.

With 4.7, this doesn't seem to work. I can set an error message, but I can't seem to change the value at all. It doesn't change if there's an error and the form reloads and it doesn't change when the values are updated or inserted. Am I missing something.

What I'm wondering is this:

How do Forms API fields of '#type' => 'value' not actually get sent to the browser? My assumption is that the values were somehow stored in the session, but I haven't detected any session code in form.inc. Am I missing something? Could somebody please unveil the magic trick?

Thanks so much.
-Scott

PS. I'm just trying to get an in-depth knowledge of the Forms API and this aspect has completely stumped me.

I began trying to move the site to https. I found it quite hard. all my sites broke with a "cannot connect to database server" or "cannot connect to site (connection refused)"
even after i uninstalled openssl.

In a post this week, someone apparently did it by simply adding an "s" to http in the base url. at the same time, i've seen some very lengthy threads about https.

I am making a site. I started to secure the site. I was going to either put the log-in or the entire site under https. I'm finding it to be fairly hard. It also seems expensive, since apparently each domain name would need it's own dedicated server account, plus its own SSL certificate.

I'm wondering if I need https. The main concern is with password sniffing, but apparently that is non-trivial. users won't have many powers so it won't matter to much if their passwords are stolen. the website will have very little sensitive data, and no information related to money.

Okay, so I want to add a maxlength to a textarea, however, form api doesn't appear to have a way to do this. It only has #maxlength for textfields. I have a form for my users to enter data, my php breaks it up and sends the information into a table in my database...problem is, if a user enters too much data at once, it can completely slow down my entire site and sometimes almost make it so slow it basically crashes. I need to limit how much my users enter in at once.