Using PHP with eval() or drupal_eval()
Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites
Using eval() or drupal_eval() in your module's code could have a security risk if the PHP input provided to the function contains malicious code.
It is a best practice to add a new permission in your module just for using PHP so it's more clear of the security risk of assigning the permission to a user role. You should also add a warning for any form elements where the PHP input is entered.
For example, the following is how Drupal core's block module handles using PHP to control block visibility:
block.module:
function block_perm() {
return array('administer blocks', 'use PHP for block visibility');
}
Drupal 7 uses a more generic permission (use PHP for settings) that should be used from any modules that allow a user to use PHP code in their settings pages.
block.admin.inc (Drupal 6):
block_admin_configure()
block.admin.inc (Drupal 7):
block_admin_configure()
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion