If a course editor writes a bit of php into a web page, what is it that stops them doing something like
mysql_query("DROP DATABASE moodle;", $db)
into their code, and breaking the whole thing?
php is server-side code. If your server is set-up properly, then you can't execute php by including it some input form in Moodle...or any other applications web browser input form for that matter...if you can, then you (or the site owner) has some big problems. Just try your example....you should see that it doesn't work.
There are ways to allow php to be executed through inputting from a webbrowser, but no public site would (should) ever allow that.
Steve