I have been wondering about the difference between Suhosin Patch and Extension? For example which one of them I should install with PHP 5.2.17 with Xcache 1.3.1 and Zend Optimizer 3.3.0.a? Should it be Suhosin Extension 0.9.32.1? Is Patch version PHP version specific Suhosin Patch 0.9.10 for PHP 5.3.4/5.3.3 and Suhosin Patch 0.9.7 in my case for PHP 5.2.17?
I also couldnt understand the clear difference between Patch and Extension from security point, how do they differ from each other?
The difference is simple. One (the extension) operates as a normal extension, so it retains compatibility with other extensions. The other (the patch) does not, so it will likely break other 3pd extensions.
Now, one thing to consider is that the patch isn't even released for the most recent versions (the latest patch version is 5.3.4, so you can't use 5.3.5 stable). Now, you could install an older version of PHP to use the patch, but that will expose you to vulnerabilities closed by the core in the latest version. Which IMHO is not worth it.
Now, I would like to make 1 thing absolutely clear. Suhosin (and the other extensions/patches and things such as mod_security) does not actually secure your code. Let me say that agian, because it's important: It does not secure your code. What it does, is closes some commonly used attack vectors, and disables some commonly abused internal functions. But it is still absolutely possible to have vulnerabilities in your code.
So, while it may help "shore up" bad code, it will not make any difference with good code. If you spend the time and energy securing your code, the patch and extension are for all practical purposes useless. But it's like a firewall in the sense that every layer is usefl as long as it doesn't get in your way too much (Especially since it's practically impossible to write 100% secure code).
Look at: http://www.hardened-php.net/suhosin/a_feature_list.html
Section Engine Protection is only available when using patched php source.
