Warning message

Documentation is currently being migrated into the new system. Some pages might be temporarily missing, and some guides might appear empty. Thank you for your patience while we are improving Drupal.org documentation.

Using PHP with eval() or drupal_eval()

Last updated on
September 20, 2016 - 13:35

Using eval() or drupal_eval() in your module's code could have a security risk if the PHP input provided to the function contains malicious code.

It is a best practice to add a new permission in your module just for using PHP so it's more clear of the security risk of assigning the permission to a user role. You should also add a warning for any form elements where the PHP input is entered.

For example, the following is how Drupal core's block module handles using PHP to control block visibility:

block.module:

function block_perm() {
  return array('administer blocks', 'use PHP for block visibility');
}

Drupal 7 uses a more generic permission (use PHP for settings) that should be used from any modules that allow a user to use PHP code in their settings pages.

block.admin.inc (Drupal 6):
block_admin_configure()

block.admin.inc (Drupal 7):
block_admin_configure()