Reply to comment

Custom module or Use Input Filter?

Submitted by prhodes on Wed, 03/25/2009 - 10:43

I need to execute just a few lines of php code when an user clicks and link and refresh the page.  Seems overkill to write a module to do this.
I found input formats, so I could create a page and embed some php into, and viola, i'm good to go.  However, I read warnings about this in that it exposes security risks.  But I am thinking I could just activate the PHP input filter for a certain content type, not all, and then it should be save.
So should I do a custom module or an use an input filter?
This is the nugget from the article cited above:
 
Also worth reiterating is the fact that the PHP Evaluator filter poses an extreme risk if it can be used by anyone but highly trusted, PHP-competent site administrators. Most sites will be better off deleting the PHP code input format and not extending use of the PHP Evaluator filter to anyone.
For now, I have enabled the "PHP code" for a content item.  I am guessing that I can limit it to administrators only.

Reply

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options