Avoid using the phpinfo function

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: php-security/avoid-using-phpinfo

Language: PHP

Severity: Error

Category: Security

CWE: 200

Description

The phpinfo() function is a built-in function in PHP that outputs a large amount of information about the current state of PHP. This includes information about PHP compilation options and extensions, the PHP version, server information and environment (if compiled as a module), the PHP environment, OS version information, paths, parent and local values of configuration options, HTTP headers, and the PHP License.

Using the phpinfo() function can pose a significant security risk, as it exposes all of this information to anyone who can access the page. This can potentially aid an attacker in finding a vulnerability in your server or application.

To avoid this, do not use the phpinfo() function in a production environment. If you need to use it for debugging purposes, make sure to remove it once you’re done. You can also restrict access to the page containing the phpinfo() function to only trusted individuals. Use other debugging methods that do not expose sensitive information whenever possible.

Non-Compliant Code Examples

<?php
echo phpinfo();

Compliant Code Examples

<?php
echo "Hello World!";
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: may/unit-testing