The ability to execute arbitrary PHP has been a popular, yet terrifying feature to include in Webform. As we progress in the 3.0 version of Webform, the time for these fields has reached an end. These fields were originally added to Webform as a compromise when I gutted the "Redirect POST to URL" feature, which basically made it so that you could submit a form to some completely different system. The thing I removed was a hack (in place since the early 4.5 days of Webform) and I replaced it with (arguably) an even worse one. The result was an endless stream of support requests for "WSOD" (white screen of death) issues or "How do I use these fields to do X?" requests. Worst of all, these fields are extremely underestimated in their danger. Through using these fields, you can delete any file uploaded to the site, drop the entire database, or (most commonly) just break your site completely and make it inoperable.

Therefor I'm removing this functionality from the 3.x branch of Webform. The new version has drastically improved APIs for handling e-mails, submissions, components, and just about everything else. These APIs are well documented and make the use of these fields completely unnecessary.

However, to not leave our users out in the cold, this functionality will still exist; just not as part of the core Webform project. It has been moved to a new home at http://drupal.org/project/webform_php, with an adequate warning on why you shouldn't use it. All previously used code is backwards-compatible, to the degree that is possible with all the changes between the 2.x and 3.x versions.

The attached patches have been committed, removing these fields from the Webform project.

CommentFileSizeAuthor
webform_remove_php7.patch8.24 KBquicksketch
webform_remove_php6.patch9.32 KBquicksketch

Comments

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

grahambeek’s picture

grahambeek commented

Could the notes for webform 3 and the handbook pages be updated (the ones with the snippets) to make this better known? I've just updated to the latest dev code in order to use one of the latest features and found some bits of my site no longer perform as they did. It's taken a while for me to find that this has been removed.

Where is the validation/submission code that I wrote? Has it been removed, or just disabled?

I can understand the reasoning behind removing it but I think that this is going to catch a lot of people out and should be flagged up in a number of places, certainly in the notes for 3.x.

Graham

grahambeek’s picture

grahambeek commented
Category: task » support
Status: Closed (fixed) » Active

OK, I've poked about in my database backup and discovered my previous code in a table called "drupal_webform" (seems reasonable!), referenced by node id.

My code was simply to set a session variable to some search criteria entered on the webform to make it available for the next page to process. My original code was:

$_SESSION[search_keyword]=$form_values[''submitted_tree''][''search_keyword''];
$_SESSION[search_within]=$form_values[''submitted_tree''][''search_within''];

I already had a module (called 'bka') to do a couple of things with users, so I extended it by writing the following hook to do the same thing as my original code:

function bka_webform_submission_insert($node, $submission) {
  if ($submission->nid == 144) {
    $_SESSION[search_keyword]=$submission->data[1]["value"][0];
    $_SESSION[search_within]=$submission->data[2]["value"][0];}
}

As you can see my "variable" names from my actual webform have been replaced with magic numbers. Is there a more elegant solution?

Graham

quicksketch’s picture

quicksketch
he/him
commented
Category: support » task
Status: Active » Closed (fixed)

Please do not change this into a support request. I do not provide help with any custom coding in the Webform queue in any case.