0

I'm planning an upgrade from Debian 6 (Squeeze) to 7 (Wheezy), which brings along php 5.4 and omits Suhosin.

Rightly or wrongly, Suhosin gives me a sense of security, because it lets me know about (some) hack attempts. e.g. I notice that my site gets a lot of hackers trying to send really long _GET variables, which are thwarted by Suhosin. I don't know how these long variables are used to hack stuff - perhaps a vulnerability that no longer exists in PHP 5.4?

I keep reading generalities like "oh, don't worry, loads of good bits from Suhosin have been adopted in PHP core now".

Can anyone summarise or point to exactly which of Suhosin's features are included or unnecessary in PHP 5.4?

artfulrobot
  • 20,637
  • 11
  • 55
  • 81
  • 1
    Squeeze? Wheezy? Are those Linux distributions? Can't you manually install Suhosin after updating your distro? – Marcel Korpel Jun 04 '13 at 15:00
  • have you seen this question? http://stackoverflow.com/questions/14405053/is-php-5-4-safe-without-suhosin – piddl0r Jun 04 '13 at 15:19
  • @piddl0r yep, and [I commented previously on that](http://stackoverflow.com/questions/14405053/is-php-5-4-safe-without-suhosin#comment24425407_14412121) -- it's exactly what I was talking about when I said generalities. – artfulrobot Jun 04 '13 at 15:37
  • @MarcelKorpel I've updated the question. Sorry, they're Debian codenames. Debian is a Linux-based OS very popular as a web server. Debian 7 (Wheezy) does not have the suhosin package, and I don't want to stray from package-based management. – artfulrobot Jun 04 '13 at 15:39

0 Answers0