Part of me is not sure this is a good idea. It also makes it easier to copy/paste code mindlessly without looking it over and being fully aware what you're doing. Having something that must me manually edited or typed by the member at least adds a small amount of protection to keep a little focus and thus thought as to "is this code really what I want to do?". It's easy to do something wrong in PHP via Commandr and badly mess up something on the site.

It also makes it a little harder to perform remote script execution attacks if Commandr does not recognize the PHP tag. E.g. it would be easy to take any PHP file and run it as a Commandr script if we did this.

I'm closing this on the notion of security and general UX.

If we allow PHP syntax in Commandr, this opens the door for remote script execution attacks since Commandr can run / execute "Commandr scripts". It would be easy to feed Commandr any PHP file and run it if it was coded to recognize the PHP start tag. Even if we code it to not allow .php files, any PHP file could be renamed to .bin / .bat or whatever the extension is to have Commandr run it. We could require : when running external scripts but allow <?php within Commandr itself, but this will create a UX nuance.

Sure, it's still possible to attack by making Commandr scripts starting with : (on a compromised system or by a web admin who doesn't know what they're doing), but it's much less likely an attacker would know about this / do this.

IMO, it's more trouble than beneficial.

Good thinking, agreed.