Hi - my phpMyAdmin and suhosin are not playing nice.
The reality is that I'm only using phpMyAdmin for stuff I haven't yet written an admin interface to in my app, to avoid having to log in via ssh to change stuff. But I'll probably keep phpMyAdmin around anyway.

Yes, I read the documentation on how to make them play nice, and to me it is unacceptable to change suhosin settings intended to protect my users and my site from a malicious user so that I can use a web app that is not open to the public.

There are a couple solutions I can think of, I'm interested in both thoughts and alternatives.

1) Run an alternate web server that supports both SSL and php, and don't use suhosin with that build. Major downside is that I can't bind it to port 443 because I already am binding 443 to apache, so I'd have to run ssl on a non standard port. Upside to using a non standard port though is it is far less likely to be hit by the script kiddies looking for stuff.

2) Build and install php4 and run it side by side with php5 - use an apache directive to only use php4 for the php files in the phpMyAdmin directory. I did a similar thing when helping a company migrate from php3 to php4 way back when, and it worked quite well - but I don't know how well that works with php4 and php5 running side by side. Major downside is that php4 is no longer officially supported for security fixes, but I can keep phpMyAdmin in a password protected directory (it is already) so that the pages are not even available unless an attacker can get around apache authentication. Major downside is I would have to use the older version of phpMyAdmin (which is still maintained) as current version requires php 5.2+. As long as 2.x is maintained that is acceptable, but for how much longer will it be?


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to