I just found out about Suhosin and I'm wondering what you guys think of it?

Here is it's description in case you don't know:

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

This is the website:

http://www.hardened-php.net/suhosin/index.html

Since I'm on Windows, I'd like to know about WIndows binary which can be found here:

http://forum.hardened-php.net/viewtopic.php?id=250

Please share your opinion...

    I personally think it's better to just harden PHP yourself not from php, but from the server aspect. You don't need Suhosin in order to protect your server. Your code is one of the top items which can safe-guard you at the time of an attack 😉

    I also know someone who was once with LayeredTech that had a server that was virtually impenetrable to outside forces. He was running php and all the other bells & whistles, but constantly had experts try to brute-force it. Noone got in.

    I'm not a fan of it now because apparently they're going to help dissuade the move to php5 because they're going to release security updates for php 4 which is insane. Let php 4 go, move on to php 5.

      Suhosin bugfixes generally end up in the official PHP (5) build anyway once they're verified to not break anything and are stable (search the [man]changelog[/man] for the name of Suhosin's main developer).

        Write a Reply...