Hi,
another one of my weird ideas: what about a script signing mode?
- ini setting containing a HMAC key
- first <?php tag in a file must then have a signature, a la
<?php:Base64encodedstring
- no parsing of files that fail the signature check
- (maybe optional) disabling of eval
Of course such an approach would need, in addition, a locally well defined
place from where updated code is distributed to production servers, which
would then need to implement the signing process. So it's only something
for sane larger shops with a good dev/production split.
best regards
Patrick