The phpinfo() function is a very powerful one; through it, you can learn quite a lot about your PHP installation. The problem is, so can someone else. PHP, of course, is a very powerful application, but it is also a very powerful tool that can be used to compromise your server’s security if used by the wrong person.
The best way to combat the potential problems that someone using phpinfo() can cause is, of course, to not have a script accessible to the public that runs the command. Sometimes, during the testing process, you need to upload a simple script that executes the command, for your own reference. It’s simply phpinfo(), inserted into PHP brackets.
If you should forget to delete the script when you’re done, it’s possible that someone who’s intent on compromising your system could try to find the page, especially if you name it something simple such as test.php or phpinfo.php. If you’re the extremely cautious sort, there’s something you can do.
You can completely disable phpinfo(), and then re-enable it later should you need to perform more testing. To do this, find your php.ini file. The location can be found by executing the phpinfo() command, as the precise location depends on your operating system and distribution. Once you’ve found the file and opened it with your favourite text editor, insert the following command:
disable_functions = phpinfo
Reboot your server, and you’re secure. Just remember to re-enable it if you should need to do further testing on PHP.
There are all sorts of things you can do to make your server secure. Securing PHP is one of the most vital things, because PHP can be used a gateway into your system, even being used to perform SQL injection attacks. Of course, one would really have to know what they’re doing to gain access to your system, but you never want to give out too much information. By disabling phpinfo(), you can accomplish that, at least as far as PHP is concerned.