Drupal: Insert PHP

Drupal's PHP filter enables users to use raw PHP code in text fields. While this is an extremely powerful ability, it quickly leads to serious security issues. Users with the ability to insert PHP code into your site, can practically do anything they want with your site. Also the PHP code is stored in the database and lives outside of your normal workflow. My Insert PHP module tries to fix the limitations of the PHP filter and provides a safer way to include raw PHP in your Drupal site.

The Insert PHP module enables you to insert PHP files in text fields using replacement tokens. The module uses Drupal's drupal_get_path function to retrieve the location of your script file. Therefore your PHP files can only be added through modules or themes. But first of all you will need to enable the Insert PHP module itself.

After you have enabled the module, you will need to add the Insert PHP filter to one of your text formats. In this example I will create a new filter which only Admins are allowed to use. Inserting PHP files in your content still adds potential security issues. So be careful who you give this right to.

The new filter can than be used by users with in e.g. node creation forms. To insert a PHP file use [theme:THEME_NAME:FILE_PATH] or [module:MODULE_NAME:FILE_PATH]. The file has to have the extension '.inc' to be recognized correctly. If the filter doesn't find the PHP file, the token won't be replaced.

In the given example I insert the example file shipped with this module into a new article node. You can test the general function of the module by copying over the token I used in the example. The result should be a text saying "It works.".

With this module you are now able to manage your custom PHP files with Git (for example) and still insert them as regular node content. Also this module adds far less critical security issues, than the native PHP filter does.

The module is currently located in a Github repository.