Is it possible to write malicious php code in the various places where php code may be entered into views?

Thanks.

Comments

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented

sure this is possible, the code is just executed with drupal_eval
so the php can do nearly everything

Flying Drupalist’s picture

Flying Drupalist CreditAttribution: Flying Drupalist commented

Thanks.

Is there any way I can deactivate the php areas then?

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Active » Fixed

Only users with access to PHP for blocks will have access to PHP in a view. Remove that permission and they will not be accessible.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.