The PHP Module is Bad to the Bone

It’s pretty common advice when developing in Drupal to never use the PHP module. It opens you up to all kinds of problems, namely:

  1. Anyone who gains access to the PHP filter can wipe your database with just a few lines of code.

  2. If overused, can cause significant performance issues. All code used this way is saved directly in the database, requiring an unnecessary database call to retrive it before it can be executed.

  3. Lack of version control equates to an overall poor development workflow.

Sadly, the lure of its convenience is damn appealing compared to building a custom module. The excuse of “just this once” slowly turns into an addiction, of which I’m neck-deep in the process of cleansing from Go Overseas. Here’s an embarrassing graph from New Relic to better illustrate what I mean:


So, to recap. Don’t use the PHP module. It will slowly kill the performance of your app, turn your development workflow into a nightmare, and open your site to all kinds of fun security vulnerabilities. Invest in yourself by spending a weekend learning how to build a simple module. The first one is always the hardest, but then you’ll be hooked, so to speak :)