Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.627
diff -u -r1.627 common.inc
--- includes/common.inc	6 Apr 2007 13:27:20 -0000	1.627
+++ includes/common.inc	9 Apr 2007 03:55:53 -0000
@@ -1377,6 +1377,10 @@
  *   output of the code.
  */
 function drupal_eval($code) {
+  if (!variable_get('php_input', 1)) {
+    watchdog('system', t('Attempt to call drupal_eval() failed; PHP input not permitted.'), WATCHDOG_WARNING);
+    return $code;
+  }
   ob_start();
   print eval('?>'. $code);
   $output = ob_get_contents();
Index: modules/block/block.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/block/block.module,v
retrieving revision 1.255
diff -u -r1.255 block.module
--- modules/block/block.module	6 Apr 2007 13:27:20 -0000	1.255
+++ modules/block/block.module	9 Apr 2007 04:00:37 -0000
@@ -460,9 +460,10 @@
     '#title' => t('Page specific visibility settings'),
     '#collapsible' => TRUE,
   );
+  $php_input = variable_get('php_input', 1);
   $access = user_access('use PHP for block visibility');
 
-  if ($edit['visibility'] == 2 && !$access) {
+  if ($php_input && $edit['visibility'] == 2 && !$access) {
     $form['page_vis_settings'] = array();
     $form['page_vis_settings']['visibility'] = array('#type' => 'value', '#value' => 2);
     $form['page_vis_settings']['pages'] = array('#type' => 'value', '#value' => $edit['pages']);
@@ -471,7 +472,7 @@
     $options = array(t('Show on every page except the listed pages.'), t('Show on only the listed pages.'));
     $description = t("Enter one page per line as Drupal paths. The '*' character is a wildcard. Example paths are %blog for the blog page and %blog-wildcard for every personal blog. %front is the front page.", array('%blog' => 'blog', '%blog-wildcard' => 'blog/*', '%front' => '<front>'));
 
-    if ($access) {
+    if ($php_input && $access) {
       $options[] = t('Show if the following PHP code returns <code>TRUE</code> (PHP-mode, experts only).');
       $description .= ' '. t('If the PHP-mode is chosen, enter PHP code between %php. Note that executing incorrect PHP-code can break your Drupal site.', array('%php' => '<?php ?>'));
     }