Hi Dne Wed, 07 Apr 2010 13:22:43 +0200 Olaf van der Spek <o...@xwis.net> napsal(a):
> On 7-4-2010 13:16, Michal Čihař wrote: > >> I don't have experience with Suhosin, but it sounds a bit like AV > >> software (on Windows): work arounds, not solutions. > > > > Well there are definitely good things in Suhosin, but I don't see much > > In that case they should be integrated into PHP itself (IMO). I guess the reasons are mostly same as for hardened PHP: http://www.hardened-php.net/hphp/faq.html#why_is_hardening-patch_not_part_of_php > >> Isn't it possible to detect and disable those operations in pMA when > >> Suhosin is enabled? > > > > It could be probably implemented by combination of PHP and client side > > javascript code (you need to validate forms before submitting whether > > they don't reach some of configured limits), but nobody invested his > > time into this so far. Patches are of course welcome. > > What Suhosin setting depends on length of user input? I don't see it in > the FAQ. It limits maximal length of value - http://www.hardened-php.net/suhosin/configuration.html#suhosin.request.max_value_length http://www.hardened-php.net/suhosin/configuration.html#suhosin.get.max_value_length http://www.hardened-php.net/suhosin/configuration.html#suhosin.post.max_value_length > >>> Finally, it's possible to change the specific Suhosin settings that > >>> phpMyAdmin has a problem with. > > Can't this be done by default in Debian? Ask Suhosin maintainers :-). > > So it's definately not needed to remove or > >>> disable Suhosin to be able to work with phpMyAdmin. > >> > >> I know, I just think this warning isn't right either. > > > > What kind of warning would be better? > > No warning, it should be 'fixed' some other way. Patches welcome. Validating forms while generating them in PHP and on submission using JavaScript is quite a lot of work and this is IMHO the only way to do this. -- Michal Čihař | http://cihar.com | http://blog.cihar.com
signature.asc
Description: PGP signature
