The checkmark of "Allow PHP code to be executed [...]" currently has the following advice added to it:

This allows you to include PHP code (enclosed in php tags) for the 403 (access denied) message. Note that this can be dangerous in some situations. Make sure that you are aware of the implications.

What are the implications, anyway? Is this a warning concerning bad php code only or about a noteworthy security hole?

If it's a larger issue, a link pointing to a drupal.org node discussing it would come in handy. Right inside the interface. Next to the warning.

Comments

kbahey’s picture

Status: Active » Closed (fixed)

By writing your own PHP you can open up security holes in the site unintentionally.

See examples here http://drupal.org/writing-secure-code