Using PHP with eval() or drupal_eval()

Last updated on
20 September 2016

Using eval() or drupal_eval() in your module's code could have a security risk if the PHP input provided to the function contains malicious code.

It is a best practice to add a new permission in your module just for using PHP so it's more clear of the security risk of assigning the permission to a user role. You should also add a warning for any form elements where the PHP input is entered.

For example, the following is how Drupal core's block module handles using PHP to control block visibility:


function block_perm() {
  return array('administer blocks', 'use PHP for block visibility');

Drupal 7 uses a more generic permission (use PHP for settings) that should be used from any modules that allow a user to use PHP code in their settings pages. (Drupal 6):
block_admin_configure() (Drupal 7):