Signing all database PHP code

For security purposes any PHP code that is stored in the database and can be manipulated via the user interface must be signed using a command line utility. This is to prevent system compromise by a user that has gained administrator access.

Signing is done by executing the following:

php {path to resourcespace}/pages/tools/resign_all_code.php

This script cannot be run from a web browser, it must be executed via the command line directly on the server itself.

This will need to be executed after changes to the following properties:

  • Resource type field - "Value filter"
  • Resource type field - "On change macro"
  • Resource type field - "Autocomplete macro"
  • Resource type field - "Exiftool filter"
  • Resource type - "Config options"
  • User group - "Config options"

The signing process involves adding a comment to the top of the custom PHP code with the text "SIG" and a unique hash. For example: