Using php_eval() is safer than eval(), but does not allow one to change variables. Some users of Views PDF will always want/need to change variables, other users won't. I know that by using eval() I'm essentially granting users with the permission to 'administer views' permission to also execute PHP. There is already a warning on the 'administer views' permission to 'Give to trusted roles only'.

Can we have php_eval() enabled by default, but give the option—on the permissions or configuration page to switch to eval()? Naturally there should be a warning that enabling eval() will allow users with 'administer views' permission to execute PHP—this is very dangerous! The UI option could be: 'enable FULL PHP for Views PDF'.

I realize entering PHP into the UI is frowned upon, but PHP code is currently the only way to do grid layout, and access many features of TCPDF, such as barcodes. Maybe one day UI and code enhancements will make some custom PHP unnecessary, but I think for some there will always be a need to use PHP to modify variables.

referencing:
#1457864: PHP before and after doesn't work
#1910156: User of php_eval() instead of eval() prevent variable manipulation.
#1513490: Fatal error: Call to undefined function php_eval()
#1345182: Positioning Field Output for Columns

Comments

jibize’s picture

I second vegansupreme, not being able to do some basic variable manipulations defeats the purpose of having "PHP Code Before Output" and "PHP Code After Output" text fields.

killua99’s picture

Status: Active » Closed (duplicate)

This is going to be solve in this issue patch. I'm closing this one.
#1513490: Fatal error: Call to undefined function php_eval()