I had noticed several times running PHP scripts that the default PHP install that comes from Debian repositories at the moment seems to include Suhosin – running ‘php -v’ yields:
PHP 5.2.6-1+lenny9 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 4 2010 03:25:57)
I had assumed this meant Suhosin was installed, but I was a bit confused as to why Suhosin functions like sha256() and sha256_file() didn’t exist, and also why the constant CRYPT_BLOWFISH didn’t appear to be set.
After a bit of looking around I finally thought to look at the actual Debian package page, which indicates there’s actually two variants of PHP/Suhosin:
The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
So I assume the one that comes with PHP when installed via the usual apt-get method is the first variant, and if you want the fully-fledged Suhosin you’ll need to figure out how to install the other one.