On Thu, 16 Dec 2010 00:13:31 +0700, "Daniel P. Brown"
<daniel.brown@xxxxxxxxxxxx> wrote:
Well, phpinfo() does, by default, divulge some things that could
be considered security concerns --- particularly in poorly-managed
environments. Primarily, this is by giving a synopsis of versions and
paths of software, but some versions and configurations will also
broadcast information about the currently logged-in user (PTS/TTY) in
the $_ENV display. Sure, you can display everything manually that
phpinfo() does automatically, but it's easier for some to vilify
something because they heard it was bad than to actually address the
greater issues.
In cases like this, I'd agree with Al's response; there are plenty
of other web hosts out there.
Well, I was hoping for stronger arguments to get that DONE. I would think
there be something in the PHP license
that would FORBID disabling functionality. After all, 'phpinfo' is
essential, really, to achieving secure
applications, isn't it? My setups are secure, I want to keep it that way.
Shouldn't hosters be required
to provide an alternative phpinfo, say behind the login control panel?
I can't see that anyone could upload a phpinfo command to a properly
configured server and execute it. I have
renamed my 'phpinfo.php' file to something innocuous.
Unfortunately I've found changing hosting companies to often result in a
lot of work for just as
obnoxious tech service as the last.
Thank you both for the feedback. It helps. I've had fetching issues past
couple days with my connection but
think I got that will straightened out soon.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
