SektionEins releases Suhosin 0.9.37

Suhosin 0.9.37 is compatible to PHP 5.6 and comes with new features and extended documentation.


SektionEins is proud to announce the release of the PHP security extension Suhosin version 0.9.37.

Suhosin (pronounced 'su-ho-shin') is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

This release improves stability and adds a number of useful features, such as

  • array index blacklist and whitelist to protect against attacks like this: http://.../foo.php?a[; or 1=1 --]
  • SQL injection protection for Mysqli
  • SQL username limits
  • experimental UTF-8 exemption for binary data detection
  • Debian package script
  • well documented configuration file
  • numerous new test cases

A complete list of changes can be found in the ChangeLog.

In addition there have been improvements to the online documentation:

Suhosin is officially supported to run with PHP 5.4, 5.5 and 5.6 on Linux. However for security reasons we recommend PHP 5.5 or above. The comprehensive test suite passes on Linux - Debian Wheezy and Ubuntu Trusty - MacOSX 10.9 and FreeBSD 10.1.

The default array index blacklist is set to the following characters: '"+-<>;(). With this change in mind, upgrading from previous versions should be smooth and seamless.

Update: Due to incompatibilities the '-' sign was removed from the default blacklist in version

Download here:

Professional Support: SektionEins provides professional support for Suhosin as well as security audits of web applications, consulting services and trainings. Please use our contact form for more information.

Ben Fuhrmannek