A Quick Tip To Make Your Drupal Website More Secure: Turn Off PHP Filter in Posts

Just turn PHP Filter off. There's a reason why it's in a separate module turned off by default.

Now, why is it even there in the first place?

Drupal security: turn off PHP filter

One probable reason is that it can be useful for Drupal development. I seem to recall that in the dark times before the Views module came along, Drupal administrators and developers used various PHP snippets to run MySQL queries - for example, to show the list of 10 nodes tagged with a specific term on a page. You can still see a bunch of those snippets on Drupal.org handbook.However, this is not a secure practice. Even if you allow PHP filter to be used only trusted roles, if a malicious hacker takes over that role, it would have been much easier for them to cause a lot of damage to your site.

So, what do I do if I want to run some PHP code?

Pro Drupal Development cautiously suggest turning PHP filter off only for the Superuser (ID 1). I'll go even further: turn it off permanently, even on a development site. This way, you'll have one less thing to worry about before deployment.

Use devel module to quickly run PHP code. Or utilize theming overrides and/or create new modules, depending on what you have in mind. Whenever you can, try keeping PHP code where it belongs: in the code base.