Flattr this!

In 2004, Stefan Esser, a security especialist that was responsible for finding and fixing many security bugs in PHP has developed a PHP extension named Suhosin. Stefan is an outstanding security specialist for which PHP is very fortunate to have his expertise in service of a more secure PHP implementation.

Suhosin is a sophisticated extension that can do many things to protect from eventual security exploits that many developers did not anticipate.

It is not surprising that even in 2004 Stefan was very well aware of the potential harm that an excessive number of request variables could do to PHP. That is precisely why that among many other options, Suhosin has the option max_vars which does what max_input_vars can do now with PHP 5.3.9.

So if for some reason you are using an old PHP version and cannot upgrade, you may want to consider using Suhosin. I confess that I have not tried it myself, so I am not certain if it will work well with all past PHP versions you may be using. But I think it is worth trying. In the worst case, you may want to try contacting Stefan and hire him to provide consulting in case you have difficulties.

It should be obvious for all developers that security issues should be taken very seriously and with urgency.

Unfortunately many developers are not very well educated when it comes to security matters. Even those that have reasonable experience in terms of security, may still escape one security problem here and there. Nobody is aware of everything. So more security is never enough.

In this case, the problems that hash collisions may cause to your servers may not be your fault because the issues are in the language implementation. However, it is the responsibility of the people in charge of the servers to do the necessary upgrades. So, if you were not aware of this problem, now that you were made aware it is up to you to take the necessary measures

<< What if I Cannot Upgrade my installed PHP Version?