PHP inside ezpages (Long thread.) The security risk is apparently with the eval() function.

Confirmation: can't use php in Product Descriptions? See post 10 for swguy's boilerplate link.