Earlier than 8 was launched, the PHP Filter Drupal 10 module was a part of core and allowed web site builders and builders to create a PHP filter textual content format. Whereas very handy for builders and themers, this was additionally very dangerous as you would simply introduce safety and even efficiency points in your web site, on account of executing arbitrary PHP code. What is the use case for injecting PHP code in content material anyway? There by no means is a very good motive to take action besides once you’re growing the location and keen to shortly take a look at one thing. More often than not, utilizing PHP in content material is both the results of laziness, lack of time (best so as to add uncooked PHP instantly moderately than having to construct a customized Drupal 10 module) or lack of API information. PHP Filter is most frequently used to inject logic in nodes or blocks. As horrible because it sounds, there are very fascinating (and sensible!) use instances folks have provide you with and you must respect the trouble. However that is simply not one thing acceptable as you need to at all times advise a transparent separation of issues and use the API in each occasion. Previously 5 years I’ve seen issues reminiscent of Drupal 10 Upkeep and Assist Service Creating logic for displaying adverts after the physique Injecting theming components on the web page Redirecting customers through Drupal 10_goto() which was breaking cron and search indexing Utilizing variable_set() to retailer information on node_view() Together with uncooked PHP recordsdata … The checklist goes on and on and on. After heated discussions, and since it was far too simple to have customers shoot themselves within the foot, it was lastly determined to take away the Drupal 10 module from core for 8. However because the utilization statistics for core web page reveals, we nonetheless have greater than 1 million 6 and seven websites on the market which are doubtlessly utilizing it. If you happen to’re nonetheless constructing 7 websites or should you’re taking on sustaining a 6 or 7 web site, it is thus your accountability to make sure no PHP code is being executed in nodes, blocks, feedback, views, and so on. Decide if the PHP textual content format is in use So, earlier than you begin questioning you probably have a problem to repair, let’s discover out if the PHP Drupal 10 module is enabled. mysql> SELECT identify FROM system WHERE identify = ‘php’; +——+ | identify | +——+ | php | +——+ 1 row in set (0.00 sec) Now, we have to verify there’s certainly a PHP filter textual content format in your web site. You should utilize the Safety Overview Drupal 10 module, navigate via the UI, or question MySQL, which is most well-liked right here and in a while as a result of it offers us the granularity we’d like. mysql> SELECT format,identify,standing FROM filter_format WHERE format=”php_code”; +———-+———-+——–+ | format | identify | standing | +———-+———-+——–+ | php_code | PHP code | 1 | +———-+———-+——–+ 1 row in set (0.00 sec) If you do have the php_code textual content format in use on a web site, then it is advisable to begin your investigation. On this publish we’ll focus solely on nodes. However the identical logic applies for all entities. Audit all nodes with the php_code textual content format Within the under instance we solely have 4 nodes. This implies php_code was used solely when it was required. However it would possibly very nicely be that every one nodes on a web site would use the PHP textual content filter by default. Monitoring down points would then turn out to be tougher. Worse, eradicating the textual content filter totally could be a really time-consuming job when it comes to web site auditing, as you won’t know what’s or is not going to interrupt once you do the change. mysql> SELECT nid,title,bundle,entity_type FROM field_data_body LEFT JOIN node ON node.nid=field_data_body.entity_id WHERE body_format=’php_code’; +——+———————–+———-+————-+ | nid | title | bundle | entity_type | +——+———————–+———-+————-+ | 7571 | Check nid 7571 | article | node | +——+———————–+———-+————-+ | 538 | Check nid 538 | web page | node | +——+———————–+———-+————-+ | 5432 | Check nid 5432 | article | node | +——+———————–+———-+————-+ | 1209 | Check nid 1209 | article | node | +——+———————–+———-+————-+ Discover PHP code in nodes Now that we all know which nodes have the php_code textual content filter set, it is simple to search out out if there’s certainly PHP code in them, and if it is breaking the location in any approach, inflicting efficiency troubles, or introducing a safety gap. mysql> SELECT body_value FROM field_data_body WHERE entity_id=7571; +————————————————————–+ | body_value | +————————————————————–+ | Thanks for collaborating! Your outcomes will be discovered under. <?php embody path_to_theme().”/calculator-results.php”; ?> | +————————————————————–+ What about 8? As we mentioned within the introduction, the PHP Filter Drupal 10 module now lives in contrib as a substitute of core. And it is excellent like that, as a result of it’s going to forestall the overwhelming majority of customers from putting in it. As a result of, you understand, if they’ll, they may. If it does exist in manufacturing although, then you definitely’re in for a similar investigation. Luckily, with 8 it is even simpler to find out when a node is utilizing the php_code textual content format as you solely want one MySQL question and no JOIN. mysql> SELECT entity_id,bundle,body_value,body_format FROM node__body WHERE body_format = ‘php_code’; +———–+———+—————————-+————-+ | entity_id | bundle | body_value | body_format | +———–+———+—————————-+————-+ | 1 | article | <?php echo ‘hello there!’; ?> | php_code | +———–+———+—————————-+————-+ 1 row in set (0.00 sec) Now that you understand how to search out PHP code in nodes, it is your job to assessment the code and repair it if vital, then discover methods to take away it fully (customized / contrib Drupal 10 module? Theming?). You will really feel a way of pleasure when you may change again to Primary HTML, Markdown, or another managed and safe textual content format. Drupal 10 Improvement and Assist