PHP filter - Foe but in rare unique cases Friend

click to enlarge image.

I am not proud of this but share it in hopes of showing the vulnerabilities of the PHP filter and in great contradiction how useful it was in one unique case.

I have preached every chance I get about turning off the PHP filter that ships with Drupal. It is notoriously abused by newbies we don't learn to write modules and just make block after block with PHP code in it. It is this endless preaching that most likely made it difficult for me to see it as a solution to my unusual problem.

"The PHP Filter is especially dangerous, because it allows, among other things, code-driven queries to be run on your site's database. Grant this input format to users who are not only trusted but really know what they are doing with PHP and Drupal. A one-character typo could end up with horrifying consequences."
ref: http://drupal.org/documentation/modules/filter

My unusual problem that we have all found ourselves in at one time or another. I was asked to fix a system that I had built long ago and no longer had shell access. The system had crashed hard under a Yahoo site scan that became a denial of service attack essentially. When the system crashed it corrupted MySQL tables. I racked my brain on how to gain shell and spent too much time trying. The problem was quickly fixed by doing what I tell everyone they should never do. I made a block and injected some PHP code. Moved it to the front page and abracadabra, the site is fixed!

Don't ever do this! Unless you have no choice.