Using Suhosin to enhance PHP scripting language security

PHP is a very popular web scripting language, but its inherent security is very weak. This article describes the PHP Enhancement Program (hardened-php project) and the new Suhosi program, Suhosin provides enhanced PHP security configuration.

PHP is a controversial but most popular kind of web scripting language. It is popular because of its low price, however, this low price leads to a growing number of Web applications written in PHP and more and more of the vulnerability of PHP itself to security, which shows that PHP is extremely unreliable, but it is also very flexible for the scripting language itself. , it's easy to implement code, but the code is bloated and unsafe, though it has always had a lot of users. You can assume, over and over and over again, that the vulnerabilities are embodied by various applications: Vulnerability to SQL injection, cross-site scripting, arbitrary execution directives, and so on.

Because the built-in PHP security measures such as Safe_mode and Open_basedir are ignored, PHP's enhanced program creates PHP with more security and also checks PHP for verification. Initially, these were made with enhanced PHP patches that needed to be patched and recompile PHP itself. Recently, the PHP Enhancement program has released a new project called Suhosin.

The sohosin consists of two parts: the first part is a PHP patch that strengthens the Zend engine itself to avoid possible buffer overflows, or to prevent related vulnerabilities. The second part is the Suhosin extension, which is a standalone PHP module. The two parts work together, or the extension part works alone.

Developers do not want to always maintain their own PHP installation settings for security purposes and they certainly prefer to use PHP directly from the vendor-supplied Linux distribution system, which provides more security features than PHP itself.

The extension module is easy to install, it can be installed via pecl, or it is installed by compiling after downloading:

$ tar xvzf suhosin-0.9.17

$ CD suhosin-0.9.17

$ phpize

$./configure

$ make

$ sudo make install

To use Suhosin, you also need to add/etc/php.ini as follows:

Extension=suhosin.so

For most people, the default configuration option is sufficient. In order to strengthen the settings, you can add the corresponding values in the/etc/php.ini. The Web site provides a detailed description of the various configuration options that can help you initialize your configuration.

Using Suhosin, you can get some error logs, you can put these logs in the system log, you can also write to any other log files, it can also create a blacklist and whitelist for each virtual host, you can filter get and post requests, file uploads and cookies. You can also send encrypted sessions and cookies, you can set up a store that cannot be delivered, and so on. Unlike the original PHP hardening patch, Suhosin can be compatible with Third-party software extensions such as Zend Optimizer.