This document consolidates all backend modules (4.1–4.7) into one structured deep dive, focused on:
- What Acquia actually tests
- How Drupal expects you to code
- Security, performance, and maintainability signals
- Real-world decision making (Drupal SME mindset)
This is not syntax memorization. This is about choosing the correct approach.
Module 4.1 – PHP & Object-Oriented Programming (Drupal Context)
What Acquia expects
- Understanding of OOP, not raw PHP scripts
- Ability to read Drupal core-style PHP
Key concepts
- Classes, objects, interfaces
- Inheritance vs composition
- Namespaces (PSR-4)
Drupal-specific usage
- Controllers, plugins, services are all classes
- Interfaces define contracts (e.g., cacheable responses)
Security signal
- Avoid global state
- Avoid static calls when DI is possible
Performance signal
- Lightweight objects
- Reuse services instead of new objects
Exam trap
- Writing procedural PHP instead of OOP
Module 4.2 – Custom Modules & Drupal APIs
What Acquia expects
- Ability to create and structure a custom module
- Understanding what belongs in a module vs theme
Core module structure
.info.yml– module metadata.module– hookssrc/– OOP code
Drupal APIs you must use
- Entity API
- Form API
- Plugin API
Security signal
- Never bypass APIs
- No direct database access unless required
Performance signal
- Avoid heavy hooks
- Use services instead of procedural logic
Exam trap
- Putting business logic in themes
Module 4.3 – Data Storage & Retrieval
What Acquia expects
- Correct choice of storage mechanism
Options
- Entities (preferred)
- Configuration API (for settings)
- Database API (last resort)
Correct order of preference
- Entity API
- Configuration API
- Database API
Security signal
- Entity API enforces access checks
- Database API prevents SQL injection
Performance signal
- Entity caching
- Avoid repeated loads
Exam trap
- Writing raw SQL for content data
Module 4.4 – Essential Drupal APIs
APIs Acquia expects you to recognize
- Entity API
- Cache API
- Queue API
- Cron API
- Logging API
When to use them
- Cache API for expensive operations
- Queue API for async tasks
- Cron for scheduled jobs
Security signal
- Logging sensitive data is bad
Performance signal
- Offload heavy tasks to queues
Exam trap
- Doing everything in a single request
Module 4.5 – Drupal Coding Standards
What Acquia expects
- Familiarity with Drupal coding style
Why it matters
- Consistency
- Code review readiness
- Community standards
Tools
- phpcs
- drupalcs
Security signal
- Standards enforce safe patterns
Performance signal
- Cleaner, predictable code
Exam trap
- Ignoring standards or PSR compliance
Module 4.6 – Performance Analysis & Optimization
What Acquia expects
- Ability to identify performance issues
Common causes
- Disabled caching
- Heavy hooks
- Excessive entity loading
Correct solutions
- Use cache metadata
- Use render caching
- Use services
Security signal
- Don’t cache personalized data incorrectly
Exam trap
- Solving performance issues with JS or theming
Module 4.7 – Security Analysis & Best Practices
What Acquia expects
- Awareness of common vulnerabilities
Common issues
- XSS
- CSRF
- SQL injection
Drupal protections
- Twig auto-escaping
- CSRF tokens
- Database API
Correct mindset
- Trust Drupal APIs
- Validate input
- Escape output
Exam trap
- Custom sanitization instead of Drupal APIs
Backend decision-making cheat sheet
| Problem | Correct Drupal choice |
|---|---|
| Store content | Entity API |
| Store settings | Config API |
| Heavy processing | Queue API |
| Reusable logic | Service |
| Page output | Controller + render array |
| Styling | Theme |