1## PHPSECINFO 2 3_see LICENSE for copyright and license info_ 4 5Mailing List for bug reports, feedback, etc: 6http://lists.phpsec.org/mailman/listinfo/phpsecinfo 7 8 9### WHAT IS PHPSECINFO? 10PHPSecInfo is a PHP environment security auditing tool modeled after the 11phpsecinfo() function. From a single function call, PHPSecInfo runs a 12series of tests on your PHP environment to identify potential security 13issues and offer suggestions. It can be useful as part of a multilayered 14security approach. 15 16 17#### WHAT IS PHPSECINFO NOT? 18* It is not a replacement for secure coding practices 19* It does not audit PHP code 20* It is not comprehensive test for either your hosting environment 21 or your web application 22* It is not the "final word." PHPSecInfo identifies *potential* problems 23 and offers suggestions for improvement. Your environment may _require_ 24 certain settings that trigger cautions or warnings. 25 26 27### HOW DO I USE PHPSECINFO? 28 29The simplest way: 30 31* Uncompress and upload the contents of the archive to your web server's 32 document root 33* Open a browser and view the index.php file where you've uploaded the files 34 (probably something like http://www.yourdomain.com/phpsecinfo/index.php) 35 36 37### WHAT DO I DO IF I GET A NOTICE OR WARNING? 38 39Read the explanation of the result carefully. Research the issue on-line 40-- resources like the php.net official docs and the PHP Security Guide are 41very useful. Investigate why your environment is set up in such a way. If 42there's not a compelling reason to keep it as-is, you should probably 43 44A by no means comprehensive list of resources to get your started: 45 46Web Sites: 47http://www.php.net/manual/en/security.php 48http://phpsec.org/projects/guide/ 49 50Books: 51http://phparch.com/pgps 52http://phpsecurity.org/ 53http://apachesecurity.net/ 54 55 56### HOW CAN I CUSTOMIZE THE OUTPUT OF PHPSECINFO? 57 58PHPSecInfo is intended to be used as a self-contained tool. However, you 59can obtain the test results in an array and then present this data in your 60preferred format. 61 62Example: 63<code> 64require_once('PhpSecInfo/PhpSecInfo.php'); 65// instantiate the class 66$psi = new PhpSecInfo(); 67 68// load and run all tests 69$psi->loadAndRun(); 70 71// grab the results as a multidimensional array 72$results = $psi->getResultsAsArray(); 73echo "<pre>"; echo print_r($results, true); echo "</pre>"; 74 75// grab the standard results output as a string 76$html = $psi->getOutput(); 77 78// send it to the browser 79echo $html; 80</code> 81 82 83### HOW CAN I OFFER FEEDBACK, REPORT BUGS, COMPLAIN, ETC.? 84 85The best way is to subscribe to and post on the PHPSecInfo Mailing List: 86 87http://lists.phpsec.org/mailman/listinfo/phpsecinfo