Login   Register  
PHP Classes
elePHPant
Icontem

Suhosin

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us

      PHP Classes blog  >  Another Serious Secur...  >  All threads  >  Suhosin  >  (Un) Subscribe thread alerts  
Subject:Suhosin
Summary:Suhosin works in a simple PHP env, but difficult for custom apps
Messages:2
Author:Jason
Date:2012-02-03 15:12:11
Update:2012-02-03 19:20:18
 

  1. Suhosin   Reply   Report abuse  
Picture of Jason
Jason
2012-02-03 17:16:11
The security setting that Suhosin are definitely the right way to go, however as a developer it sometimes creates more work to build a custom app that will function correctly under the Suhosin rules.

For example if you are building a custom CMS you must limit the number of input variables in a post array, or Suhosin will silently remove elements from the array. As such your application can behave erratically. There doesn't seem to be any error output, your data is silently dropped. This makes it hard to figure out what the cause is.

This happens quite a bit with PHPMyAdmin which can become very buggy using Suhosin's default rules. On large tables with many fields PHPMyAdmin will throw errors when used in conjunction with Suhosin.

I have a feeling PHPMyAdmin is one of the main reasons why Suhosin has not been adopted offically. Because a default Suhosin install will break PHPMyAdmin.


Anyhow great Blog! Keep posting!


  2. Re: Suhosin   Reply   Report abuse  
Picture of Manuel Lemos
Manuel Lemos
2012-02-03 19:20:18 - In reply to message 1 from Jason
Right but Suhosin also allows you to configure the limit variables if necessary. The default is 200 which should be fine.

http://www.hardened-php.net/suhosin/configuration.html#suhos ...

I doubt that PHPMyAdmin uses more than 200 request variables. If they do, the application is badly designed.

Other than that Suhosin does not filter variables silently. You can send filtered actions to a log.

http://www.hardened-php.net/suhosin/configuration.html#suhos ...

All this is done finally since PHP 5.3.9, so if this is a problem with Suhosin, it is a problem with PHP too now.