{"id":18482854,"url":"https://github.com/spaze/phpinfo","last_synced_at":"2026-04-10T23:16:15.513Z","repository":{"id":45076175,"uuid":"303166272","full_name":"spaze/phpinfo","owner":"spaze","description":"Extract phpinfo() into a variable and move CSS to external file, sanitize sensitive info","archived":false,"fork":false,"pushed_at":"2025-08-12T12:12:43.000Z","size":47,"stargazers_count":11,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-12T14:27:50.596Z","etag":null,"topics":["php","phpinfo","sanitization"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spaze.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-10-11T16:40:54.000Z","updated_at":"2025-08-12T12:12:45.000Z","dependencies_parsed_at":"2023-01-22T07:01:56.691Z","dependency_job_id":"12952d6e-b135-4cbf-9076-4e9d59a87f65","html_url":"https://github.com/spaze/phpinfo","commit_stats":{"total_commits":12,"total_committers":1,"mean_commits":12.0,"dds":0.0,"last_synced_commit":"85cb39b71ec564408810ebc69b8b7da1c1022277"},"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/spaze/phpinfo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spaze%2Fphpinfo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spaze%2Fphpinfo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spaze%2Fphpinfo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spaze%2Fphpinfo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spaze","download_url":"https://codeload.github.com/spaze/phpinfo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spaze%2Fphpinfo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271773970,"owners_count":24818388,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-23T02:00:09.327Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["php","phpinfo","sanitization"],"created_at":"2024-11-06T12:31:17.340Z","updated_at":"2026-04-10T23:16:15.499Z","avatar_url":"https://github.com/spaze.png","language":"PHP","readme":"# phpinfo\nExtract `phpinfo()` into a variable and move CSS to external file.\n\nThis might be handy when you want to show the output from `phpinfo()` to authenticated users only in your site's layout for example.\n\n```php\n$phpInfo = new \\Spaze\\PhpInfo\\PhpInfo();\n$html = $phpInfo-\u003egetHtml();\n```\n\n## `getHtml(int $flags = INFO_ALL): string`\nThe `getHtml()` method returns the `phpinfo()` output, without the HTML `head` and `body` elements, wrapped in `\u003cdiv id=\"phpinfo\"\u003e` \u0026 `\u003c/div\u003e`.\n\nAll inline CSS will be \"externalized\" to CSS classes, you can load `src/assets/info.css` to get the colors back (or `vendor/spaze/phpinfo/src/assets/info.css` when installed via Composer).\n\nAn example usage with Nette Framework (can be used with other frameworks or standalone, too):\n```php\n$this-\u003etemplate-\u003ephpinfo = Html::el()-\u003esetHtml($this-\u003ephpInfo-\u003egetHtml());\n```\n\nThe output may be customized by passing one or more of the constants [specified in the PHP manual](https://www.php.net/function.phpinfo#refsect1-function.phpinfo-parameters) in the optional `$flags` parameter.\n\nPlease note that this will also remove the HTML `head` element which contains `meta name=\"ROBOTS\"` tag preventing search engines and other bots indexing the `phpinfo()` output.\nYou have to add it back somehow, for example by rendering the `getHtml()` output in your own layout which includes the `head` element with the `meta name=\"ROBOTS\"` tag.\nIn general, `phpinfo()` output should be accessible only for authenticated users.\n\n## `getFullPageHtml(int $flags = INFO_ALL): string`\nSometimes, you may want to display the classic `phpinfo()` output, with the original HTML `head` and `body` elements, `meta name=\"ROBOTS\"` tag, inline styles etc.,\nbut still with the sensitive info sanitized (see below). In that case, you may use `getFullPageHtml()`:\n```php\n$phpInfo = new \\Spaze\\PhpInfo\\PhpInfo();\necho $phpInfo-\u003egetFullPageHtml();\n```\n\nThe output of this method may also be customized by passing one or more of the constants [specified in the PHP manual](https://www.php.net/function.phpinfo#refsect1-function.phpinfo-parameters) in the optional `$flags` parameter.\n\n## Sanitization\nBy default, session id will be automatically determined and replaced by `[***]` in the output.\nThis is to prevent some session hijacking attacks that would read the session id from the cookie value reflected in the `phpinfo()` output\n(see my [blog post](https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it) describing the attack, `HttpOnly` bypasses, and the solution).\nYou can disable the sanitization by calling `doNotSanitizeSessionId()` but it's totally not recommended. Do not disable that. Please.\n\nYou can add own strings to be sanitized in the output with\n```php\naddSanitization(string $sanitize, ?string $with = null): self\n```\nIf found, the string in `$sanitize` will be replaced with the string `$with`; if `$with` is null then the sanitizer's default replacement string will be used instead.\nThe sanitizer's default replacement is `[***]` unless you pass a custom string to `Spaze\\PhpInfo\\SensitiveValueSanitizer`.\n\nTo change the default sanitization from `[***]` to a custom string, pass the string to `Spaze\\PhpInfo\\SensitiveValueSanitizer` and then pass the sanitizer to `Spaze\\PhpInfo\\PhpInfo`:\n```php\n$sanitizer = new \\Spaze\\PhpInfo\\SensitiveValueSanitizer('🦘');\n$phpInfo = new \\Spaze\\PhpInfo\\PhpInfo($sanitizer);\n$html = $phpInfo-\u003egetHtml();\n```\n\nSome of the values in `phpinfo()` output are printed URL-encoded, so the `$sanitize` value will also be searched URL-encoded automatically.\nThis means that both `foo,bar` and `foo%2Cbar` would be replaced.\n\nThe sanitizer will try to determine the session id and sanitize it automatically, you can (but shouldn't) disable it with `doNotSanitizeSessionId()`.\n\nThe following values will be used when determining the session id:\n1. `session_id()` output if not `false`\n2. `$_COOKIE[session_name()]` if it's a string\n\nHowever, it is not recommended to rely solely on the automated way, because for example you may set the session name somewhere in a custom service,\nand it may not be available for the sanitizer to use. I'd rather suggest you configure the sanitization manually:\n```php\n$phpInfo-\u003eaddSanitization($this-\u003esessionHandler-\u003egetId(), '[***]'); // where $this-\u003esessionHandler is your custom service for example\n```\nor\n```php\n$phpInfo-\u003eaddSanitization($_COOKIE['MYSESSID'], '[***]'); // where MYSESSID is your session name\n```\nor something like that.\n\n## Sanitizing arbitrary strings\nIf you have your `phpinfo()` output (or anything really) in a string, you can use the sanitizer standalone, for example:\n```php\n$sanitizer = new \\Spaze\\PhpInfo\\SensitiveValueSanitizer();\n$string = $sanitizer-\u003eaddSanitization('🍍', '🍌')-\u003esanitize('🍍🍕');\n```\n\nYou can then pass the configured sanitizer to `PhpInfo` class which will then use your configuration for sanitizing the `phpinfo()` output too:\n```php\n$phpInfo = new \\Spaze\\PhpInfo\\PhpInfo($sanitizer);\n$html = $phpInfo-\u003egetHtml();\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspaze%2Fphpinfo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspaze%2Fphpinfo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspaze%2Fphpinfo/lists"}