PHP filter overview

Last updated on
21 November 2016

The PHP filter core module has been removed from core starting with version 8.x.

The module adds the ability to include PHP code in posts. PHP is a general-purpose scripting language widely-used for web development; the content management system used by this website has been developed using PHP.

Through the PHP filter, users with the proper permission may include custom PHP code within a page of the site. While this is a powerful and flexible feature if used by a trusted user with PHP experience, it is a significant and dangerous security risk in the hands of a malicious user. Even a trusted user may accidentally compromise the site by entering malformed or incorrect PHP code. Only the most trusted users should be granted permission to use the PHP filter, and all PHP code added through the PHP filter should be carefully examined before use.

In addition to security, performance can also be negatively impacting. Enabling the PHP filter prevents output from being cached by the filter or fields caches.

Some example PHP snippets are available, or you can create your own with some PHP experience and knowledge of the Drupal system.