Avoid using the phpinfo function

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: php-security/avoid-using-phpinfo

Language: PHP

Severity: Error

Category: Security

CWE: 200

Description

The phpinfo() function is a built-in function in PHP that outputs a large amount of information about the current state of PHP. This includes information about PHP compilation options and extensions, the PHP version, server information and environment (if compiled as a module), the PHP environment, OS version information, paths, parent and local values of configuration options, HTTP headers, and the PHP License.

Using the phpinfo() function can pose a significant security risk, as it exposes all of this information to anyone who can access the page. This can potentially aid an attacker in finding a vulnerability in your server or application.

To avoid this, do not use the phpinfo() function in a production environment. If you need to use it for debugging purposes, make sure to remove it once you’re done. You can also restrict access to the page containing the phpinfo() function to only trusted individuals. Use other debugging methods that do not expose sensitive information whenever possible.

Non-Compliant Code Examples

<?php
echo phpinfo();

Compliant Code Examples

<?php
echo "Hello World!";
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: esther/docs-8632-slo-blog-links