I need to prevent users from accidentally exposing private data stored in the environment variables with phpinfo(). Is there a way to configure apache or php.ini to disallow sections rendered with phpinfo?
Php – How to prevent Apache/PHP from showing the environment variables section in phpinfo()
apache-2.2environment-variablesPHPphp.ini
Best Answer
The information that
phpinfo()
displays is a bit all or nothing. You can tellphpinfo()
to limit what information to display but you have to trust your users to call the function correctly:You can disable the function entirely using the
disable_functions
directive in yourphp.ini
file:For example:
If you're feeling adventurous you could grab the PHP source, hack out the bits that render the Environment variables, then recompile. For example, in PHP 5.3.6 the relevant code can be found in
/ext/standard/info.c
at around line 950: