tags 521198 + moreinfo unreproducible thanks Hi David,
On Wednesday 25 March 2009, David wrote: > Suhosin nulls the parameters of a very large mysql update resulting in > null values being submitted to the database, where data was expected. that depends on your suhosin settings. I expect people installing software are reading the provided (even upstream) documentation. You can see in the documentation and the provided ini file, that there are values like "suhosin.get.max_value_length". Reading the documentation would get you the impression, that "large mysql update"s may have problems with the enabled suhosin module. So you have to adjust the (default) values to fit your environment. > It seems more reasonable that Suhosin would instead kill the update queries > if it considers them to be an attack. And log it so the admin can make > appropriate changes. Logging is done to syslog ... in our case it is this /var/log/syslog. I suggest you to use the simulation mode, if you expect problems with the default settings to see where you get into troubles. Since this heavily depend on the environment where it would be used, every user has to deal for its own with it. > As it is, it is highly destructive, and not immediately apparent when > suhosin is first installed/updated. It only appears later when the > end-users generate a large enough update. A ticking time bomb for the > database. Anyway ... your application has to deal anyways with an empty value, so this is nothing special with suhosin. I see, that just stoping the script maybe rigorous, but it is also not very usefull to return errors to php, since php errors on most production sites are logged to a file anyways. So .. please provide enought informations about your settings and your environment (maybe the php script and the call of it). When we can reproduce the problem and identify as a bug, we will take action. Thanks and with kind regards, Jan.
signature.asc
Description: This is a digitally signed message part.