How to reduce the need to enable the PHP filter such as in Blocks, Rules or Computed Fields?


Drupal comes with various options to use custom PHP, such as in:

  • Block visibility settings.
  • Rules conditions and/or actions.
  • Computed fields.

However to be able to enter such custom PHP code (using the Drupal UI), it is required that the "PHP filter" is enabled. But that is a possible security risk.

What options are available to reduce the need for using custom PHP?



1 answer


There are various occasions where you can achieve the same result without the need for using PHP. Below are some of my favorite examples ...


To specify block visibility settings, it's possible to use PHP for it. However, in many (if not all) cases that I've seen so far where that technique was used, the Rules block visibility module turned out to be a valid alternative.

Example: How to display a block to a specific user?, as a variation to this alternative anser which uses php code in its block visibility settings.


When using the Rules module, there are situations where a Rules Condition is implemented by executing some PHP code, e.g. because no appropriate Rules Condition (without using PHP) seems to be available. However there are situations where it is just a matter of knowing that there is an alternative available, without using PHP code.

Example: How to check whether one's current User Points are negative with the Rules module?, as a variation to this alternative anser which uses php code to implement such Rules Condition.

Computed field

Think of all those cases where the Computed Field module is used (which requires the PHP filter). In quite a few (not all ... yet) of them, the Math Field module is a valid alternative which does not require the use of PHP Filter.

Example: How to use Computed_field as a product of an existing one? (funny enough using Math Field is also recommended in the alternative answer).