Frequently Asked Questions

This page is a collection of questions that occur from time to time.

General

What does Suhosin mean?

Suhosin (수호신) is a South-Korean word that means something very similar to the english guardian-angel.

Why is Suhosin called Suhosin?

According to some blog entries a few Korean people are kinda surprised about the name. They wonder why a German developer has chosen a Korean word for his project’s name. The reason for this is very simple. The main developer of Suhosin is interested in Korea for quite some time now, he enjoys watching Korean movies, loves Korean food and he has been learning the Korean language for several years now. Additionally the word ‘suhosin’ is quite simple, sounds interesting, describes exactly what the program is and bypasses the problem that most English words are already taken by popular software.

Why should you use the Suhosin-Patch or the Suhosin Extension?

This question is actually the most important one. Important enough that the answer is covered by its own section.

Should I run Hardening-Patch or Suhosin

Suhosin is actually a replacement for the Hardening-Patch. Looking at the feature set of Suhosin it is already with it’s first public release more powerful than the Hardening-Patch ever was. With the first public stable release of Suhosin the Hardening-Patch is deprecated and only Suhosin should be used in new installations.

What license is Suhosin under?

The Suhosin-Patch is a patch against the PHP code base. It heavily uses #defines from the original PHP code tree and is therefore released under the same license. The extension is also released under the same license. Currently this is the The PHP License, version 3.01.

Installation & Configuration

Will my application break because Suhosin is too restrictive?

Some people fear that the protections implemented by Suhosin are too restrictive for their applications and that after installing it, their applications stop working. Therefore Suhosin comes with a special configuration option: suhosin.simulation. When this is enabled Suhosin will continue logging violated rules but the actual blocking will not be performed.

How can I find out the problem when my application breaks?

It is a good start to enable Suhosin's logging feature in addition to PHP's logging. See suhosin.log.* in the documentation.

Does Suhosin run on Windows?

Short answer: No.

While there is no official support for Windows (yet), Suhosin has been known to compile and run on modern Windows machines with IIS and Apache. However, running Suhosin on Windows has not been thoroughly tested and may not work as expected.

Will Suhosin run on my old PHP 5.0 / 5.1 / 5.2 / 5.3?

Short answer: Yes, but...

PHP 5.x and Suhosin version 0.9.37 work well together. Later Suhosin versions will have dropped support for PHP 5.2 and below.

Some tests failed related to function blacklist/whitelist

Example make test output:

...
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Testing: suhosin.executor.func.blacklist=printf [tests/executor/function_blacklist_printf.phpt]
Testing: suhosin.executor.func.whitelist=call_user_func [tests/executor/function_whilelist_call_user_func.phpt]
=====================================================================

The function blacklist/whitelist is not working properly with old PHP version 5.4 and below. This bug has been resolved starting with PHP 5.5. Please upgrade PHP if you need this feature.

Why does session encryption not work with my custom PHP installation?

Transparent session encryption relies on the PHP session extension to be compiled into PHP (statically or as shared library). This will be checked when the Suhosin extension is compiled. Check for compiled in modules like so:

$ php -m
[PHP Modules]
Core
...
session
...

Or otherwise, try to load the shared extension:

$ php -d display_errors=1 -d extension=session.so -r ''
(no warning means, this worked.)

Also, the session extension must be loaded when Suhosin starts up. So the loading order matters:

php -d extension=session.so  -d extension=suhosin.so ...

If the loading order is wrong, you will probably see something like this when loading Suhosin:

Undefined symbol "ps_globals" in Unknown on line 0

Should I use Suhosin as shared extension?

Suhosin is meant to be used as shared extension only. However there have been reports of compiled in Suhosin working just fine, but that may be coincidental.

I use XAMPP on OSX and my compiler complains about strnlen().

The precompiled PHP comes with a php_config.h, that does not reflect your specific system.

Please refer to one of the following options:

compile PHP yourself
use the PHP shipped with OSX 10.0

define HAVE_STRNLEN yourself while compiling Suhosin:

./configure --with-php-config=/Applications/XAMPP/xamppfiles/bin/php-config
make CFLAGS="-DHAVE_STRNLEN=1"

Help & Support

I found a bug. How can I report it?

We have an issue tracker on Github.

Please make sure that your bug description contains enough information to replicate the problem, e.g.

operating system
PHP version
Suhosin version
compile flags
Apache version
example code
a brief description outlining the problem

Where can I find even more help?

The configuration page is rather extensive.
You can search our issue tracker (also the closed issues).

I need professional support for my company.

Please use our contact form and we will get back to you soon.