[development] Remove PHP filter by default

Karoly Negyesi karoly at negyesi.net
Sun Jan 29 17:18:16 UTC 2006

> PHP snippets in key areas -- blocks, pages, and block visibility checks
> -- have allowed sites to Get Things Done With Drupal without diving in
> and writing custom modules for every niggling tweak.

No need to write a custom module with my pages and blocks module.

> It's one of the
> things that makes Drupal a lot more powerful and flexible. Until the
> arrival of views.module, it was the only way for most users to get
> customized listings of content. That's pretty basic.

With great power you can cause lots of good -- and lots of harms.

> We need to recognize that for MANY sites, this will be a crippling
> downgrade.

No way. I can write you an upgrade (and even volunteered to do so) which  
will convert all blocks & php nodes to inc.

> That's understandable. I can see the case for turning PHP Filtering into
> a separate module, leaving it disabled by default, and restricting it to
> user 1. While the .inc file solution is technically cool, it is still a
> blow to core functionality.

The problem is in restriction. Folks, understand this: as long as PHP  
filter is there, all you need is one broken contrib module and your site  
is dust. Also, I know that many shops won't even consider Drupal for this  
filter because it's too risky. If you need to say "no it's not because"  
then you have lost the argument because if you need to reason then it's  
not secure enough. (And yes, input filtering is also needed but let's  
leave something for the spring, too :) ).



More information about the development mailing list