On 7-4-2010 10:25, Thijs Kinkhorst wrote:
In that case, shouldn't Suhosin be disabled by default?

I don't think so. PHP in Debian is of wider use than phpMyAdmin alone, so
if phpMyAdmin has issues with Suhosin it doesn't naturally follow that all
of Suhosin should be disabled. There are many PHP applications both inside
and outside of Debian, web application security has a significant impact
on the web today and having Suhosin by default can provide a positive
contribution to web application security.

I don't have experience with Suhosin, but it sounds a bit like AV software (on Windows): work arounds, not solutions.

As for the impact of Suhosin on phpMyAdmin performance, this is limited to
only certain operations, most notably when working with large tables that
have no primary key. I have not encountered any problems myself when
working with phpMyAdmin in different contexts all running with Suhosin.

Isn't it possible to detect and disable those operations in pMA when Suhosin is enabled?

Finally, it's possible to change the specific Suhosin settings that
phpMyAdmin has a problem with. So it's definately not needed to remove or
disable Suhosin to be able to work with phpMyAdmin.

I know, I just think this warning isn't right either.

Michal, perhaps the phpMyAdmin FAQ item that the warning refers to can be
augumented with which parameters to change?


cheers,
Thijs




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to