Understanding phpinfo(): What it is and how to use it safely

What is phpinfo()?

phpinfo() is a PHP function that outputs a detailed page about the current PHP configuration. It helps developers confirm the PHP version, enabled extensions, and various directives set in php.ini. You can trigger it by placing a file with:

<?php
phpinfo();
?>

What it displays

The page includes sections like PHP Version, System, Configuration Options, PHP Variables, and loaded configuration files. It shows the values of many PHP directives (like displayerrors, memorylimit), the loaded modules, and server details (SERVERSOFTWARE, SERVERNAME). It also lists the path to the loaded php.ini and other local configuration files.

Common use cases

• Verifying the PHP version and built-in modules on a server
• Checking which php.ini directives are in effect
• Diagnosing issues related to extensions or environment

Security considerations

Exposing phpinfo() output on a publicly accessible site can reveal sensitive information.

Risks of exposing phpinfo()

• Reveals server software, operating system, and file paths
• Shows loaded extensions and configuration file locations
• Enables attackers to tailor exploits based on version and modules

Safe usage guidelines

• Only run phpinfo() on development or staging environments, not production
• Restrict access with authentication or IP allowlisting
• Remove the file immediately after use
• If you need ongoing visibility, use CLI tools or restricted views

Alternatives for auditing

• Use php -i on the command line to get similar information
• Check configuration with php --ini and php -v
• Review php.ini and module installation through server control panels or configuration management

Best practices

• Never leave a public phpinfo() page on a live site
• Place the file in a protected directory or deny public access via web server rules
• Use the minimal required information in production environments