[nycphp-talk] why phpinfo exposes $_ENV
Hans Zaunere
hans at nyphp.org
Thu Jun 19 17:04:35 EDT 2003
--- David Mintz <dmintz at panix.com> wrote:
>
> Hello,
>
> This is the dude who just got started with a fresh AMP environment on my
> Red Hat 9 box, thanks again for the help. It's workin'.
>
> I notice that phpinfo() output includes $_ENV, which seems a little
> intrusive, and I'm wondering why and what can be done about it. (I googled
> for this and found a thousand people's phpinfo hanging out in public, and
> one reference to the issuee, but no solution. Perused the php docs too.)
>
> My httpd is running as nobody and the script in question is owned by user
> david, that's whose environment is being printed.
>
> I recognize that it's not considered good security practice to advertise
> your phpinfo and I don't plan to, but I'm curious about this anyway. TIA.
Take a look at the blurb about variables_order at
http://us2.php.net/manual/en/configuration.directives.php. You'll want to
take the 'E' out of that setting, which can be done via php.ini or
httpd.conf.
H
More information about the talk
mailing list