Last updated February 15, 2010. Created on February 15, 2010.
Edited by kiamlaluno, Dave Reid. Log in to edit this page.

Using eval() or drupal_eval() in your module's code could have a security risk if the PHP input provided to the function contains malicious code.

It is a best practice to add a new permission in your module just for using PHP so it's more clear of the security risk of assigning the permission to a user role. You should also add a warning for any form elements where the PHP input is entered.

For example, the following is how Drupal core's block module handles using PHP to control block visibility:

block.module:

<?php
function block_perm() {
  return array(
'administer blocks', 'use PHP for block visibility');
}
?>

Drupal 7 uses a more generic permission (use PHP for settings) that should be used from any modules that allow a user to use PHP code in their settings pages.

block.admin.inc (Drupal 6):
block_admin_configure()

block.admin.inc (Drupal 7):
block_admin_configure()

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.