' . t('Through the PHP filter, users with the proper permission may include custom PHP code within a page of the site. While this is a powerful and flexible feature if used by a trusted user with PHP experience, it is a significant and dangerous security risk in the hands of a malicious user. Even a trusted user may accidentally compromise the site by entering malformed or incorrect PHP code. Only the most trusted users should be granted permission to use the PHP filter, and all PHP code added through the PHP filter should be carefully examined before use.') . '
'; + $output .= '' . t('Drupal.org offers some example PHP snippets, or you can create your own with some PHP experience and knowledge of the Drupal system.', array('@drupal' => url('http://drupal.org'), '@php-snippets' => url('http://drupal.org/handbook/customization/php-snippets'))) . '
'; + $output .= '' . t('For more information, see the online handbook entry for PHP module.', array('@php' => 'http://drupal.org/handbook/modules/php/')) . '
'; + return $output; + } +} + +/** + * Implement hook_perm(). + */ +function php_perm() { + return array( + 'use PHP for settings' => array( + 'title' => t('Use PHP for settings'), + 'description' => t('Enter PHP in settings fields where PHP is allowed. %warning', array('%warning' => t('Warning: Give to trusted roles only; this permission has security implications.'))), + ), + ); +} + +/** + * Evaluate a string of PHP code. + * + * This is a wrapper around PHP's eval(). It uses output buffering to capture both + * returned and printed text. Unlike eval(), we require code to be surrounded by + * tags; in other words, we evaluate the code as if it were a stand-alone + * PHP file. + * + * Using this wrapper also ensures that the PHP code which is evaluated can not + * overwrite any variables in the calling code, unlike a regular eval() call. + * + * @param $code + * The code to evaluate. + * @return + * A string containing the printed output of the code, followed by the returned + * output of the code. + */ +function php_eval($code) { + global $theme_path, $theme_info, $conf; + + // Store current theme path. + $old_theme_path = $theme_path; + + // Restore theme_path to the theme, as long as php_eval() executes, + // so code evaluated will not see the caller module as the current theme. + // If theme info is not initialized get the path from theme_default. + if (!isset($theme_info)) { + $theme_path = drupal_get_path('theme', $conf['theme_default']); + } + else { + $theme_path = dirname($theme_info->filename); + } + + ob_start(); + print eval('?>' . $code); + $output = ob_get_contents(); + ob_end_clean(); + + // Recover original theme path. + $theme_path = $old_theme_path; + + return $output; +} + +/** + * Implement hook_filter_tips(). + */ +function php_filter_tips($delta, $format, $long = FALSE) { + global $base_url; + if ($delta == 0) { + switch ($long) { + case 0: + return t('You may post PHP code. You should include <?php ?> tags.'); + case 1: + $output = '' . t('Custom PHP code may be embedded in some types of site content, including posts and blocks. While embedding PHP code inside a post or block is a powerful and flexible feature when used by a trusted user with PHP experience, it is a significant and dangerous security risk when used improperly. Even a small mistake when posting PHP code may accidentally compromise your site.') . '
'; + $output .= '' . t('If you are unfamiliar with PHP, SQL, or Drupal, avoid using custom PHP code within posts. Experimenting with PHP may corrupt your database, render your site inoperable, or significantly compromise security.') . '
'; + $output .= '' . t('Notes:') . '
'; + $output .= 'register_globals is turned off. If you need to use forms, understand and use the functions in the Drupal Form API.', array('@formapi' => url('http://api.drupal.org/api/group/form_api/7'))) . 'print or return statement in your code to output content.') . 'template.php file rather than embedding it directly into a post or block.') . '' . t('A basic example: Creating a "Welcome" block that greets visitors with a simple message.') . '
'; + $output .= 'Add a custom block to your site, named "Welcome" . With its text format set to "PHP code" (or another format supporting PHP input), add the following in the Block body:
++print t(\'Welcome visitor! Thank you for visiting.\'); +') . '
To display the name of a registered user, use this instead:
+
+global $user;
+if ($user->uid) {
+ print t(\'Welcome @name! Thank you for visiting.\', array(\'@name\' => $user->name));
+}
+else {
+ print t(\'Welcome visitor! Thank you for visiting.\');
+}
+') . '' . t('Drupal.org offers some example PHP snippets, or you can create your own with some PHP experience and knowledge of the Drupal system.', array('@drupal' => url('http://drupal.org'), '@php-snippets' => url('http://drupal.org/handbook/customization/php-snippets'))) . '
'; + return $output; + } + } +} + +/** + * Implement hook_filter(). Contains a basic PHP evaluator. + * + * Executes PHP code. Use with care. + */ +function php_filter($op, $delta = 0, $format = -1, $text = '') { + switch ($op) { + case 'list': + return array(0 => t('PHP evaluator')); + case 'no cache': + // No caching for the PHP evaluator. + return $delta == 0; + case 'description': + return t('Executes a piece of PHP code. The usage of this filter should be restricted to administrators only!'); + case 'process': + return php_eval($text); + default: + return $text; + } +} + + + Index: modules/php/php.info =================================================================== RCS file: /cvs/drupal/drupal/modules/php/php.info,v retrieving revision 1.7 diff -u -p -r1.7 php.info --- modules/php/php.info 8 Jun 2009 09:23:53 -0000 1.7 +++ modules/php/php.info 10 Jun 2009 19:10:26 -0000 @@ -4,6 +4,6 @@ description = Allows embedded PHP code/s package = Core version = VERSION core = 7.x -files[] = php.module +files[] = php.inc files[] = php.install files[] = php.test