Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies


11:55 am on Feb 16, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:July 23, 2005
posts: 81
votes: 0

Running Debian Squeeze, Apache 2.2, PHP Version 5.3.3-7+squeeze8

In Logcheck, I'm getting warnings like:
Feb 16 00:46:49 hostname suhosin[28579]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'start' (attacker '', file '/home/example.com/public_html/phpbb2/viewforum.php')

I'm not really familiar with it, but Wikipedia says Suhosin is a Php security patch and default in Debian. So that's OK.

But PhpMyAdmin reports:

Server running with Suhosin. Please refer to documentation for possible issues.

And that - [wiki.phpmyadmin.net...] -- reports a number of issues with Suhosin and apps like PhpMyAdmin.

So I guess I'm asking how needed or valuable is Suhosin? If not, how would it be deactivated? I would be nice to get rid of the red warning.
2:12 am on Feb 17, 2012 (gmt 0)

System Operator from US 

incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
votes: 99

Why would you want less security just to get rid of a red warning?

Makes sense to me.

Read up on what it is, you should probably keep it unless you like you servers hacked from PHP flaws: [hardened-php.net...]
9:10 am on Feb 17, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:July 23, 2005
posts: 81
votes: 0

Of course I don't want less security, but there are always things that are not that effective, unneeded or redundant, which is why I asked.

But implementation is being a bit problematic. The phpMyAdmin FAQ [phpmyadmin.net ] recommends changes to suhosin.ini

The default values for most Suhosin configuration options will work in most scenarios, however you might want to adjust at least following parameters:

suhosin.request.max_vars should be increased (eg. 2048)
suhosin.post.max_vars should be increased (eg. 2048)
suhosin.request.max_array_index_length should be increased (eg. 256)
suhosin.post.max_array_index_length should be increased (eg. 256)
suhosin.request.max_totalname_length should be increased (eg. 8192)
suhosin.post.max_totalname_length should be increased (eg. 8192)
suhosin.get.max_value_length should be increased (eg. 1024)
suhosin.sql.bailout_on_error needs to be disabled (the default)
suhosin.log.* should not include SQL, otherwise you get big slowdown

Most of these are straightforward, but the last is - as far as I can determine - undocumented or unclear. See [hardened-php.net ]
The default suhosin.ini entry has no value

;suhosin.log.syslog =

Looking at other suhosin.log settings and the suhosin config docs, I get the impression that to remove SQL from the logging, I should set the value to 16 or lower. But I can't find anything on Google or the phpadmin or suhosin sites to give that credibility.

Any ideas? Thanks.