How do I prevent Apache/PHP from showing the environment variables section in phpinfo()?

Posted on

How do I prevent Apache/PHP from showing the environment variables section in phpinfo()? – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about apache-2.2, php, environment-variables, php.ini, .

I need to prevent users from accidentally exposing private data stored in the environment variables with phpinfo(). Is there a way to configure apache or php.ini to disallow sections rendered with phpinfo?

Solution :

The information that phpinfo() displays is a bit all or nothing. You can tell phpinfo() to limit what information to display but you have to trust your users to call the function correctly:

You can disable the function entirely using the disable_functions directive in your php.ini file:

For example:

disable_functions = phpinfo

If you’re feeling adventurous you could grab the PHP source, hack out the bits that render the Environment variables, then recompile. For example, in PHP 5.3.6 the relevant code can be found in /ext/standard/info.c at around line 950:

  php_info_print_table_header(2, "Variable", "Value");
  for (env=environ; env!=NULL && *env !=NULL; env++) {
    tmp1 = estrdup(*env);
    if (!(tmp2=strchr(tmp1,'='))) { /* malformed entry? */
    *tmp2 = 0;
    php_info_print_table_row(2, tmp1, tmp2);

Leave a Reply

Your email address will not be published. Required fields are marked *