Hi - my phpMyAdmin and suhosin are not playing nice.
The reality is that I'm only using phpMyAdmin for stuff I haven't yet
written an admin interface to in my app, to avoid having to log in via
ssh to change stuff. But I'll probably keep phpMyAdmin around anyway.
Yes, I read the documentation on how to make them play nice, and to me
it is unacceptable to change suhosin settings intended to protect my
users and my site from a malicious user so that I can use a web app that
is not open to the public.
There are a couple solutions I can think of, I'm interested in both
thoughts and alternatives.
1) Run an alternate web server that supports both SSL and php, and don't
use suhosin with that build.
Major downside is that I can't bind it to port 443 because I already am
binding 443 to apache, so I'd have to run ssl on a non standard port.
Upside to using a non standard port though is it is far less likely to
be hit by the script kiddies looking for stuff.
2) Build and install php4 and run it side by side with php5 - use an
apache directive to only use php4 for the php files in the phpMyAdmin
directory. I did a similar thing when helping a company migrate from
php3 to php4 way back when, and it worked quite well - but I don't know
how well that works with php4 and php5 running side by side. Major
downside is that php4 is no longer officially supported for security
fixes, but I can keep phpMyAdmin in a password protected directory (it
is already) so that the pages are not even available unless an attacker
can get around apache authentication. Major downside is I would have to
use the older version of phpMyAdmin (which is still maintained) as
current version requires php 5.2+. As long as 2.x is maintained that is
acceptable, but for how much longer will it be?
Thoughts?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
