Drupal , developing custom module, it is correct way am doing -

below drupal custom modules,

can u please confirm it,

is correct way of developing custom module,

else please advise,

<?php /** *  implementation of hook_form_alter(). */ function register_form_alter(&$form, $form_state, $form_id) {   switch($form_id) {       case 'user_register': // value stole rendered form         // customizations go here          // drupal_set_message('hey, we\'ve tapped form!');          $form['account']['bharani'] = array(             '#title' => 'bharani',             '#type' => 'textfield',             '#description' => t(' bharanikumar custom field '),           );          $form['#submit'][] = 'register_submit_handler'; // add        break;   } }  function register_submit_handler($form, &$form_state) {   $value = $form_state['values']['bharani'];   $mail = $_post['mail'];   $query  = "update users set language='$value' mail='$mail'";   db_query($query); }   ?> 

i not answer "correct way of developing custom module" part of question, here note way you're doing sql query :

you using :

$value = $form_state['values']['bharani']; $mail = $_post['mail']; $query  = "update users set language='$value' mail='$mail'"; db_query($query); 

with this, code subject sql-injections : no matter users send $_post['mail'], it'll endup in query, un-escaped !

drupal , db_query(), should, instead, use :

$value = $form_state['values']['bharani']; $mail = $form_state['values']['mail'];; $query  = "update users set language='%s' mail='%s'"; db_query($query, $value, $mail); 

this way, drupal take care of escaping, protecting sql-injections.