PHP Freaks

Reading through the tutorials just now, and came across this one. (I say "came across" like it's surprising when there's 3 tutorial at the moment hehe.)

Anyway, i would've liked more of an explanation of what Suhosin is.... I had never heard of it before, so I Googled it.

Their site sounds oddly propagandaish to me, and when ever you visit it sounds like they're trying to tell me the world is going to end if I don't use their patch. (I also think it's funny how they basically make fun of the PHP coders saying even they miss some stuff, but this random guy [group of people maybe?] can magically fix it all! I mean I'm not saying he[/she/they] can't, just saying it's funny how he makes himself sound awesome.)

Anyway, sorry if you didn't want feedback, but I'm bored reading the tutorials lol.

@Crobin H: It is sad but a fact that php developers miss "stuff" all the time. That comes with being human. Were Suhosin comes in is in preventing most of that before it ever hits your application. The suhosin site says "It was designed to protect your servers on the one hand against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within these applications or the PHP core itself!" The key here is "potential unknown vulnerabilities".. I don't have any numbers to support this but I would be willing to bet that 99.9% of attacks are exploits from these "unknown vulnerabilities" or they were unknown to the original developers. Checkout the suhosin feature list for more info.

How often are those problems exploited though? I mean, I guess since PHP is open source, someone could read through the code and spot something, but how likely is it that someone will attack my site with a (forexample) bufferoverflow attack? Hmmm... I guess that's actually likely, but....

Half the features listed sound to me like they should be covered in the actual PHP code... (Hrmmm I guess some of the features are to protect users from each other or themselves now that I read through it again... So that's why those aren't PHP level.)

Hrmm anyway... Thanks for answering, and hopefully you don't think I'm an entire nooby ;p.

"Half the features listed sound to me like they should be covered in the actual PHP code... "

I completely agree with that statement. If people wrote good code to begin with this wouldn't be needed. However, there are plenty of people that do not write good code and it may be riddled with various vulnerabilities. Suhosin forces proper security standards on applications that may not have otherwise followed those standards. This results in a more secure application. Not to mention the use of third party applications that we do not control the source code. In the end this is just a simple but very effective way of adding another layer of security to a site without having a negative impact on performance.

Yeah guess so.... It could be especially useful for server hosts, or like you said, when using 3rd party apps....

Corbin,
This comes from Stefan Esser, an individual who is well known in the PHP community for not playing well with others. He has regularly engaged in flame wars with other well known people involved with PHP, and tends to get shrill, self righteous and arrogant. He does however seem to know what he's talking about when it comes to security and web exploits.

Well.... I guess it's better than being narcissistic and stupid...

(Dunno if you would consider him narcissistic just guessing that from the short description lol)

I've noticed that Ubuntu seems to come pre-installed with suhosin. I didn't look at the configuration if they set anything by default but it is there. In any event I think this is a good guide Tom, thanks for putting it up. Some of the configuration settings can be a little confusing on the suhosin website.