English
English
In the PHP development and operation and maintenance process, ensuring the secure configuration of the PHP environment is an extremely important part. The phpinfo() function is a powerful tool that comes with PHP. It can display all configuration information of the current PHP environment in detail, including version, compilation options, extension modules, environment variables, PHP variables, and HTTP header information. By viewing the content output from phpinfo(), we can help us quickly check whether the security settings of PHP are reasonable and perfect.
In your server or local environment, create a new PHP file, such as info.php, with the following content:
<?php
phpinfo();
?>
Then access in the browser:
http://gitbox.net/info.php
You will see a detailed configuration page that lists all information about the PHP runtime.
This option controls whether the error message is displayed directly on the page. The production environment should be shut down to prevent the leak of server paths and code information.
display_errors => Off
If enabled, PHP version information will be exposed on the HTTP header, which is easily exploited by attackers. Should be closed.
expose_php => Off
The historical legacy configuration will automatically register the GET/POST/Cookie variable as a global variable after being turned on, which can easily cause security problems and should be turned off.
register_globals => Off
These two configurations involve whether to allow access to files through URLs and include remote files. Production environments are usually shut down to prevent remote code execution attacks.
allow_url_fopen => Off
allow_url_include => Off
Restrict PHP scripts to access only specified directories to prevent illegal access of the file system.
open_basedir => /var/www/html/
When enabled, client scripts cannot access cookies through JavaScript, enhancing protection.
session.cookie_httponly => On
The content output via phpinfo() can be:
Confirm whether the PHP version is the latest stable version to prevent known vulnerabilities.
Check if unsafe extensions or modules are loaded.
Check whether sensitive information is exposed in the environment variable.
In conjunction with server configuration, verify PHP's file access restrictions.
phpinfo() is a powerful tool for quickly checking PHP environment information and the first step in security auditing. Although phpinfo() itself does not have security functions, the information obtained through it can help us discover security risks in the configuration in a timely manner and avoid being exploited by hackers. Be sure not to place pages containing phpinfo() in a public network environment or ensure strict access control.
