ExpressionEngine and PHP security
Writing php code within ExpressionEngine isn't possible, without it explicitly being turned on. It's a very easy process to do but has to be done per template rather than a global rule. That means of course you can write raw php code making the possibilities endless in what you can do with your website.
There was and still is a concern that turning php on is a security risk.There is nothing to be concerned about with turning php on by itself. That doesn't make the site itself a security risk alone. It does mean that the php code you are writing can make the site insecure though. By writing custom code that code can do many countless things which may well make the your site insecure.
The other risk is that turning on php code in templates is that if another party can write to templates with php code then course all kind of information can be exploited if that person was to turn malicious. If they can however write to template files without php then the use of ExpressionEngine tags limits to what can be done and extracted. We very rarely if ever give our clients template access, there's far too much to go wrong and our clients have no wish or desire to access potentially very complicated code and technical areas of the site. By simply disallowing that member group to view templates takes this small threat away.
So as we have investigated turning on php is not a security risk by simply turning it on, its more to do with what can go wrong with php allowing more bad to happen.