Knowing the structure of your filesystem might allow hackers to execute directory traversal attacks if your site is vulnerable to them.

I think exposing phpinfo() on its own isn&#39;t necessarily a risk, but in combination with another vulnerability could lead to your site becoming compromised.

Obviously, the less specific info hackers have about your system, the better. Disabling phpinfo() won&#39;t make your site secure, but will make it slightly more difficult for them.

Besides the obvious like being able to see if `register_globals` is On, and where files might be located in your include_path, there&#39;s all the `$_SERVER` (`$_SERVER[&quot;DOCUMENT_ROOT&quot;]` can give clues to define a relative pathname to `/etc/passwd`) and `$_ENV` information (it&#39;s amazing what people store in `$_ENV`, such as encryption keys)

The biggest problem is that many versions make XSS attacks simple by printing the contents of the URL and other data used to access it.

http://www.php-security.org/MOPB/MOPB-08-2007.html

A well-configured, up-to-date system can afford to expose `phpinfo()` without risk.

Still, it is possible to get hold of so much detailed information - especially module versions, which could make a cracker&#39;s life easier when newly-discovered exploits come up - that I think it&#39;s good practice **not** to leave them up. Especially on shared hosting, where you have no influence on everyday server administration.

Hackers can use this information to find vulnerabilities and hack your site.

Honestly, not much. Personally, I frequently leave `phpinfo()` pages up.

If you have some serious misconfigurations (e.g. PHP is running as root), or you&#39;re using old and vulnerable versions of some extensions or PHP itself, this information will be more exposed. On the other hand, you also wouldn&#39;t be protected by not exposing `phpinfo()`; you should have instead take care of having your server up-to-date and correctly configured.

Given:

    static TDest Gimme&lt;TSource,TDest&gt;(TSource source) 
    { 
        return default(TDest); 
    }

Why can&#39;t I do:

    string dest = Gimme(5);

without getting the compiler error:

`error CS0411: The type arguments for method &#39;Whatever.Gimme&lt;TSource,TDest&gt;(TSource)&#39; cannot be inferred from the usage. Try specifying the type arguments explicitly.`

The `5` can be inferred as `int`, but there&#39;s a restriction where the compiler won&#39;t/can&#39;t resolve the return type as a `string`.  I&#39;ve read in several places that *this is by design* but no real explanation.  I read somewhere that this might change in C# 4, but it hasn&#39;t.

Anyone know why return types cannot be inferred from generic methods?  Is this one of those questions where the answer&#39;s so obvious it&#39;s staring you in the face?  I hope not!

Generic methods in .NET cannot have their return types inferred. Why?

I just wonder how to change the text between html tags right from the normal mode, like the way we can change text within double-quotes thanks to `ci&quot;` ?



Vim : changing text between html tags

If a `phpinfo()` dump is shown to an end user, what is the worst that a malicious user could do with that information? What fields are most unsecure? That is, if your `phpinfo()` was publicly displayed, after taking it down, where should you watch/focus for malicious exploits? 


What security problems could come from exposing phpinfo() to end users?

<p>If a <code>phpinfo()</code> dump is shown to an end user, what is the worst that a malicious user could do with that information? What fields are most unsecure? That is, if your <code>phpinfo()</code> was publicly displayed, after taking it down, where should you watch/focus for malicious exploits?</p>


I have to create a PHP that will return an image stream of one transparent dot (PNG or GIF)

Could you point me to an easy to use solution?

PHP script to render a single transparent pixel (PNG or GIF)

I&#39;ve been trying to push an item to an associative array like this:

    $new_input[&#39;name&#39;] = array(
        &#39;type&#39; =&gt; &#39;text&#39;, 
        &#39;label&#39; =&gt; &#39;First name&#39;, 
        &#39;show&#39; =&gt; true, 
        &#39;required&#39; =&gt; true
    );
    array_push($options[&#39;inputs&#39;], $new_input);

However, instead of &#39;name&#39; as the key in adds a number. Is there another way to do it?

Push item to associative array in PHP

I&#39;m starting with a date `2010-05-01` and ending with `2010-05-10`.  How can I iterate through all of those dates in PHP?

I have 2 dates in PHP, how can I run a foreach loop to go through all of those days?

I want error logging in PHP CodeIgniter. How do I enable error logging?  

I have some questions:

  1. What are all the steps to log an error?
  2. How is an error log file created?
  3. How to push the error message into log file (whenever an error occurs)?
  4. How do you e-mail that error to an email address?

How to do error logging in CodeIgniter (PHP)

How do the following two function calls compare:

    isset($a[&#39;key&#39;])

    array_key_exists(&#39;key&#39;, $a)



What&#39;s the difference between isset() and array_key_exists()?

How does this giant regex work?

I noticed that most sites send the passwords as plain text over HTTPS to the server. Is there any advantage if instead of that I sent the hash of the password to the server? Would it be more secure?

Should I hash the password before sending it to the server side?

Each page in an MVC application I&#39;m working with sets these HTTP headers in responses:

    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    X-AspNetMvc-Version: 2.0

How do I prevent these from showing? 

How to remove ASP.Net MVC Default HTTP Headers?

What are the most secure sources of entropy to seed a random number generator?  This question is language and platform independent and applies to any machine on a network.  Ideally I&#39;m looking for sources available to a machine in a cloud environment or server provided by a hosting company.

There are two important weaknesses to keep in mind. The use of time for sending a random number generator is a violation of [CWE-337][1].  The use of a small seed space would be a violation of [CWE-339][2].


  [1]: http://cwe.mitre.org/data/definitions/337.html
  [2]: http://cwe.mitre.org/data/definitions/339.html

What is the most secure seed for random number generation?

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an `access_token` (which is used to authenticate oneself with a resource) as well as a `refresh_token`, which is used purely to create a new `access_token`:

https://www.rfc-editor.org/rfc/rfc6749#section-4.2

Why have both? Why not just make the `access_token` last as long as the `refresh_token` and not have a `refresh_token`?

Content Type	Original Author	Original Content on Stackoverflow
Question	Yahel	View Question on Stackoverflow
Solution 1 - Php	Michael Jones	View Answer on Stackoverflow
Solution 2 - Php	Mark Baker	View Answer on Stackoverflow
Solution 3 - Php	symcbean	View Answer on Stackoverflow
Solution 4 - Php	Pekka	View Answer on Stackoverflow
Solution 5 - Php	mcandre	View Answer on Stackoverflow
Solution 6 - Php	Artefacto	View Answer on Stackoverflow

What security problems could come from exposing phpinfo() to end users?

Php Problem Overview

Php Solutions

Solution 1 - Php

Solution 2 - Php

Solution 3 - Php

Solution 4 - Php

Solution 5 - Php

Solution 6 - Php

Vim : changing text between html tags

Generic methods in .NET cannot have their return types inferred. Why?

Attributions