Using PHP with eval() or drupal_eval()

Last updated on
20 September 2016

Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites

Using eval() or drupal_eval() in your module's code could have a security risk if the PHP input provided to the function contains malicious code.

It is a best practice to add a new permission in your module just for using PHP so it's more clear of the security risk of assigning the permission to a user role. You should also add a warning for any form elements where the PHP input is entered.

For example, the following is how Drupal core's block module handles using PHP to control block visibility:

block.module:

function block_perm() {
  return array('administer blocks', 'use PHP for block visibility');
}

Drupal 7 uses a more generic permission (use PHP for settings) that should be used from any modules that allow a user to use PHP code in their settings pages.

block.admin.inc (Drupal 6):
block_admin_configure()

block.admin.inc (Drupal 7):
block_admin_configure()

Help improve this page

Page status: No known problems

You can: