PHPackages spaze/phpinfo - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Validation & Sanitization](/categories/validation) 4. / 5. spaze/phpinfo ActiveLibrary[Validation & Sanitization](/categories/validation) spaze/phpinfo ============= Extract phpinfo() output into a variable, sanitize sensitive values, and move inline styles to external CSS. v2.0.1(1mo ago)1338.6k↓16.6%2MITPHPPHP ^8.0CI passing Since Oct 11Pushed 1mo ago1 watchersCompare [ Source](https://github.com/spaze/phpinfo)[ Packagist](https://packagist.org/packages/spaze/phpinfo)[ RSS](/packages/spaze-phpinfo/feed)WikiDiscussions main Synced 1w ago READMEChangelog (10)Dependencies (11)Versions (14)Used By (0) phpinfo ======= [](#phpinfo) Extract `phpinfo()` into a variable and move CSS to external file. This might be handy when you want to show the output from `phpinfo()` to authenticated users only in your site's layout for example. ``` $phpInfo = new \Spaze\PhpInfo\PhpInfo(); $html = $phpInfo->getHtml(); ``` `getHtml(int $flags = INFO_ALL): string` ---------------------------------------- [](#gethtmlint-flags--info_all-string) The `getHtml()` method returns the `phpinfo()` output, without the HTML `head` and `body` elements, wrapped in `` & ``. All inline CSS will be "externalized" to CSS classes, you can load `src/assets/info.css` to get the colors back (or `vendor/spaze/phpinfo/src/assets/info.css` when installed via Composer). An example usage with Nette Framework (can be used with other frameworks or standalone, too): ``` $this->template->phpinfo = Html::el()->setHtml($this->phpInfo->getHtml()); ``` The output may be customized by passing one or more of the constants [specified in the PHP manual](https://www.php.net/function.phpinfo#refsect1-function.phpinfo-parameters) in the optional `$flags` parameter. Please note that this will also remove the HTML `head` element which contains `meta name="ROBOTS"` tag preventing search engines and other bots indexing the `phpinfo()` output. You have to add it back somehow, for example by rendering the `getHtml()` output in your own layout which includes the `head` element with the `meta name="ROBOTS"` tag. In general, `phpinfo()` output should be accessible only for authenticated users. `getFullPageHtml(int $flags = INFO_ALL): string` ------------------------------------------------ [](#getfullpagehtmlint-flags--info_all-string) Sometimes, you may want to display the classic `phpinfo()` output, with the original HTML `head` and `body` elements, `meta name="ROBOTS"` tag, inline styles etc., but still with the sensitive info sanitized (see below). In that case, you may use `getFullPageHtml()`: ``` $phpInfo = new \Spaze\PhpInfo\PhpInfo(); echo $phpInfo->getFullPageHtml(); ``` The output of this method may also be customized by passing one or more of the constants [specified in the PHP manual](https://www.php.net/function.phpinfo#refsect1-function.phpinfo-parameters) in the optional `$flags` parameter. Sanitization ------------ [](#sanitization) By default, session id will be automatically determined and replaced by `[***]` in the output. This is to prevent some session hijacking attacks that would read the session id from the cookie value reflected in the `phpinfo()` output (see my [blog post](https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it) describing the attack, `HttpOnly` bypasses, and the solution). You can disable the sanitization by calling `doNotSanitizeSessionId()` but it's totally not recommended. Do not disable that. Please. You can add own strings to be sanitized in the output with ``` addSanitization(string $sanitize, ?string $with = null): self ``` If found, the string in `$sanitize` will be replaced with the string `$with`; if `$with` is null then the sanitizer's default replacement string will be used instead. The sanitizer's default replacement is `[***]` unless you pass a custom string to `Spaze\PhpInfo\SensitiveValueSanitizer`. To change the default sanitization from `[***]` to a custom string, pass the string to `Spaze\PhpInfo\SensitiveValueSanitizer` and then pass the sanitizer to `Spaze\PhpInfo\PhpInfo`: ``` $sanitizer = new \Spaze\PhpInfo\SensitiveValueSanitizer('🦘'); $phpInfo = new \Spaze\PhpInfo\PhpInfo($sanitizer); $html = $phpInfo->getHtml(); ``` Some of the values in `phpinfo()` output are printed URL-encoded, so the `$sanitize` value will also be searched URL-encoded automatically. This means that both `foo,bar` and `foo%2Cbar` would be replaced. The sanitizer will try to determine the session id and sanitize it automatically, you can (but shouldn't) disable it with `doNotSanitizeSessionId()`. The following values will be used when determining the session id: 1. `session_id()` output if not `false` 2. `$_COOKIE[session_name()]` if it's a string However, it is not recommended to rely solely on the automated way, because for example you may set the session name somewhere in a custom service, and it may not be available for the sanitizer to use. I'd rather suggest you configure the sanitization manually: ``` $phpInfo->addSanitization($this->sessionHandler->getId(), '[***]'); // where $this->sessionHandler is your custom service for example ``` or ``` $phpInfo->addSanitization($_COOKIE['MYSESSID'], '[***]'); // where MYSESSID is your session name ``` or something like that. Sanitizing arbitrary strings ---------------------------- [](#sanitizing-arbitrary-strings) If you have your `phpinfo()` output (or anything really) in a string, you can use the sanitizer standalone, for example: ``` $sanitizer = new \Spaze\PhpInfo\SensitiveValueSanitizer(); $string = $sanitizer->addSanitization('🍍', '🍌')->sanitize('🍍🍕'); ``` You can then pass the configured sanitizer to `PhpInfo` class which will then use your configuration for sanitizing the `phpinfo()` output too: ``` $phpInfo = new \Spaze\PhpInfo\PhpInfo($sanitizer); $html = $phpInfo->getHtml(); ``` ### Health Score 55 — FairBetter than 97% of packages Maintenance88 Actively maintained with recent releases Popularity38 Limited adoption so far Community12 Small or concentrated contributor base Maturity67 Established project with proven stability Bus Factor1 Top contributor holds 94.9% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~167 days Recently: every ~174 days Total 13 Last Release 59d ago Major Versions v0.1.1 → v1.0.02022-11-26 v1.4.0 → v2.0.02026-04-10 PHP version history (4 changes)v0.1.0PHP >=7.1 v0.1.1PHP ^7.1 || ^8.0 v1.0.0PHP ^8.0 v1.1.2PHP ^7.4 || ^8.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/6777bd445610e6e458e4d41bdefa3070d2ed4e068323362353b061b15e9ff81b?d=identicon)[spaze](/maintainers/spaze) --- Top Contributors [![spaze](https://avatars.githubusercontent.com/u/1966648?v=4)](https://github.com/spaze "spaze (75 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (3 commits)")[![compwright](https://avatars.githubusercontent.com/u/138688?v=4)](https://github.com/compwright "compwright (1 commits)") --- Tags phpphpinfosanitizationphpphpinfo ### Code Quality Static AnalysisPHPStan Type Coverage Yes ### Embed Badge ![Health badge](/badges/spaze-phpinfo/health.svg) ``` [![Health](https://phpackages.com/badges/spaze-phpinfo/health.svg)](https://phpackages.com/packages/spaze-phpinfo) ``` PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)