Can I use phpMyAdmin on a server on which Suhosin is enabled? ΒΆ
Yes but the default configuration values of Suhosin are known to cause problems with some operations, for example editing a table with many columns and no primary key or with textual primary key.
Suhosin configuration might lead to malfunction in some cases and it can not be fully avoided as phpMyAdmin is kind of application which needs to transfer big amounts of columns in single HTTP request, what is something what Suhosin tries to prevent. Generally all suhosin.request.*, suhosin.post.* and suhosin.get.* directives can have negative effect on phpMyAdmin usability. You can always find in your error logs which limit did cause dropping of variable, so you can diagnose the problem and adjust matching configuration variable.
The default values for most Suhosin configuration options will work in most scenarios, however you might want to adjust at least following parameters:
- suhosin.request.max_vars should be increased (eg. 2048)
- suhosin.post.max_vars should be increased (eg. 2048)
- suhosin.request.max_array_index_length should be increased (eg. 256)
- suhosin.post.max_array_index_length should be increased (eg. 256)
- suhosin.request.max_totalname_length should be increased (eg. 8192)
- suhosin.post.max_totalname_length should be increased (eg. 8192)
- suhosin.get.max_value_length should be increased (eg. 1024)
- suhosin.sql.bailout_on_error needs to be disabled (the default)
- suhosin.log.* should not include SQL, otherwise you get big slowdown
- suhosin.sql.union must be disabled (which is the default).
- suhosin.sql.multiselect must be disabled (which is the default).
- suhosin.sql.comment must be disabled (which is the default).
To further improve security, we also recommend these modifications:
- suhosin.executor.include.max_traversal should be enabled as a mitigation against local file inclusion attacks. We suggest setting this to 2 as
../is used with the ReCaptcha library. - suhosin.cookie.encrypt should be enabled.
- suhosin.executor.disable_emodifier should be enabled.
You can also disable the warning using the $cfg['SuhosinDisableWarning'].