11

I have a publicly accessible page which just has 

<?php phpinfo(); >

I use it for debugging purposes while we're in beta, but is there any harm in leaving it accessible when its a live site?

siliconpi
  • 1,707
  • 6
  • 30
  • 45

1 Answers1

13

It would entirely depend on how confident you are about your PHP install. If you think it is rock solid, even if an attacker knows everything about your PHP install, then you could leave it in place.

But really, why would you leave this in place on a production system anyway? There may be exploits you are not aware of in your version of PHP - people may now or in future scan for your version of PHP, or particular options you have enabled, because they know how to carry out these exploits. So by keeping this up publically, you added yourself to their hitlist.

If you want to keep it up, you can put it in a password protected directory, or just switch it on when you need it. Given the small cost of these options, I wouldn't take the risk of keeping it public.

dunxd
  • 9,482
  • 21
  • 80
  • 117
  • 2
    Wrapping the function call in a conditional usually does the trick - i.e. `` (where `1.2.3.4` is your IP address) – danlefree Oct 25 '10 at 10:25
  • Thanks @dunxd - and thanks @danlefree for the tip... there are so many sites that still expose their phpinfos! – siliconpi Oct 25 '10 at 11:21
  • 1
    There are a lot of sites that expose phpmyadmin too - don't follow the examples of low security of other people. They may not value their data or integrity of their server as much as you value yours. – dunxd Oct 25 '10 at 11:58
  • While @dunxd's solution is thorough and perfect I really like @danlefree's solution to the problem. I'm not sure why I never thought of this before and I will be using this model going forward. To remain on topic, I also wanted to add I too am of the opinion that exposing PHP publically in a `phpinfo()` function is not a wise idea. – justinhartman Oct 31 '17 at 14:44