What should I do if phpinfo() cannot come out of php code security?

php code security The solution to the problem that phpinfo() cannot come out: first open the php.ini file, find the "short_open_tag" item, and set it to "short_open_tag = On"; then restart apache and reload the php.ini service That’s it.

The operating environment of this tutorial: windows7 system, PHP7.1 version, DELL G3 computer

1. Problem description

I wrote a php file test.php, the code is as follows:

<?php
    echo phpinfo();
?>

The browser visited it, but returned NULL.

##2. Problem location and solution

I checked online and found that the problem encountered by most people is actually the problem of short_open_tags , their code is as follows:

<?
    echo phpinfo();
?>

Solution:

In this case, you need to open the php.ini file, find "short_open_tag", and comment the line short_open_tag = Off Off, then open it; short_open_tag = On is enough, then restart apache, reload the php.ini service and it will be OK.

There are two more questions here. One is how to know which php.ini file is loaded when php is executed. You can execute it on the command line: php --ini to find the php.ini file; The second is how to reload the php.ini file. If php-fpm is enabled on your server, generally speaking, restarting php-fpm will be OK. The command is: service php-fmp restart. If the php-fpm service is not enabled (more Earlier version of PHP), generally restarting the apache service is OK, the command is service httpd restart.

After following the above steps, the problems encountered by most people will be solved, but this is someone else's problem, not mine orz...

Helpless , I felt that this must be related to the configuration of php, so I went to the official website to read the php.ini document. The following configuration is as follows:

　　disable_functions string

This command allows you to prohibit certain functions for security reasons. . Accepts a comma separated list of function names as arguments. disable_functions are not affected by safe mode. This directive can only be set in php.ini. For example, it cannot be set in httpd.conf

, which means that some methods can be configured in php.ini, but these methods cannot be called. Open php.ini to find this configuration. Sure enough, the phpinfo() method is Disabled, as follows:

disable_functions = phpinfo,system,proc_open,proc_close,show_source,popen,pclose

It suddenly dawned on me, temporarily deleted the phpinfo() method from disable_functions, reloaded the php.ini file, and then accessed test.php from the browser again, this time it was successful. Yes, problem solved. However, I would like to remind my friends that phpinfo() is very sensitive information. It is usually best not to expose it to the client, so I quickly turned it off after the test.

Recommended learning: "

PHP Video Tutorial"

The above is the detailed content of What should I do if phpinfo() cannot come out of php code security?. For more information, please follow other related articles on the PHP Chinese website!