I finally discovered the impact of SUHOSIN after six months of trying to track down why several popular modules wouldn't work when uploaded to a hosted server. They worked OK on a development set-up (Windows XP) but failed on a hosted Linux server.
The modes of failure on the server were unhelpful which made troubleshooting complicated. In some instances it returned a simple 'server error' page, and in the server log it just said something about 'incomplete headers'. In other instances the attempt at updating permissions seemed to complete OK but the permissions hadn't actually been updated.
What I believe was happening was that SUHOSIN just cut off the posted data after reaching its set limit. When that messed up an array within the $_POST, say by letting an 'index' variable through but not its associated 'value' variable, then I got an error page, but if the data in the $_POST was still a valid collection (albeit with some missing) then the process continued but some expected updates didn't get done!
Before realizing that SUHOSIN was the culprit I spent some time trying to replicate my host's environment on the XP machine. Dumped IIS and installed a WAMP set up, changed the Apache version, changed the MySql version, changed the PHP version, changed from PHP as a module to fast-cgi, and finally changed all the php.ini settings to match those on the host (well those I could understand anyway!).
The thing that stumped me was getting SUHOSIN itself. Over at its home (
Hardened php project) it's downloadable as a set of files that need compiling. I guess that's something Linux users are good at but for inadequates like me it has to be a dll file. Links around the Internet pointed to the forums area at SUHOSIN's home as a place to get the dll but it seemed to be permanently in 'maintenance' mode (still is today). I eventually found one, but unfortunately I can't remember where and recent attempts at searching hasn't turned it up a second time. If someone knows where this can be downloaded I'm sure others would benefit. Alternatively, if anyone can offer download space then email me at
support.xoops.forums@origma.demon.co.uk and I can send a copy.
To continue ...
Once installed on the WAMP set up SUHOSIN is quite easy to experiment with. When it catches something it writes an error report to XP's Event Viewer saying what happened. Also you can put it into 'simulation' mode where it reports any breaches but lets the processing continue. All the parameters are set in php.ini so troubleshooting can be easy and quick. However if you are working in an IDE like Eclipse it will conflict with the debugger which is a shame.
After playing with it for a while I was able to work out what value I needed for the maximum variables in $_POST parameter. My site had 46 groups (yes yes I know it's a lot!) and I wanted to add new fields to the User Profile module bringing them to a total of 30. This meant I needed a value of 2852 (from 46 x 30 x 2). The hosting provider had already viewed the default figure of 200 too low and had doubled it to 400. But this was a little short of the figure I needed.
In discussion with them they raised the value to 1024 but pointed out the whole point of the restriction was to protect the server so were reluctant to simply whack the figure up just because I asked. Their position went something like, 'if the guy that wrote this stuff thought 200 a safe number to use then five times that number is probably as far as we want to go'. Quite reasonable really, they've bought into SUHOSIN to give them protection so it makes no sense to open it up and risk the bad boys getting in.
At the moment I have changed the management arrangements of the site along with several module hacks and reduced the groups to a bare minimum of 23 and ambitions for the User profile module have been reduced by restricting the field count to 26. This would need a $_POST variables limit of 1196 and I have re-approached the provider hoping that this modest change will be acceptable.
I hope my story will help others running sites, and indicate an area where the core, and module, developers might like to look at. SUHOSIN isn't going away.