MySQL triggers that prevent phpBB3's "Allow PHP code in templates" option from being enabled

phpbb3_override_tpl_allow_php.sql

DROP TRIGGER phpbb_config_insert_tpl_allow_php;
DROP TRIGGER phpbb_config_update_tpl_allow_php;

DELIMITER ;;

CREATE TRIGGER phpbb_config_insert_tpl_allow_php BEFORE INSERT ON phpbb_config FOR EACH ROW
IF (NEW.config_name = 'tpl_allow_php') THEN
  SET NEW.config_value = 0;
  SET NEW.is_dynamic = 0;
END IF;;

CREATE TRIGGER phpbb_config_update_tpl_allow_php BEFORE UPDATE ON phpbb_config FOR EACH ROW
IF (NEW.config_name = 'tpl_allow_php') THEN
  SET NEW.config_value = 0;
  SET NEW.is_dynamic = 0;
END IF;;

DELIMITER ;

If the phpBB3 admin panel is compromised, the attacker can enable the "Allow PHP code in templates" option and then inject malicious PHP code by editing the templates. These MySQL triggers prevent that option from being enabled by the admin panel.