I've been looking at disabling certain php functions for security reasons, and it turned into a mammoth task identifying which ones to deactivate, so ...
As an exercise, I decided to try deactivating every single function (about 5000 of them *gulp!*), then access my site and see what errors I'd get ... the idea being that I would then 'punch holes' in my disabled list to allow only those functions that my site actually uses.
So having generated a complete list of all 5000-odd functions, and applying it to my php.ini, then confirming that they were listed as disabled in phpinfo, I was surprised to find that my site continued working just fine ... even though functions like mysql_connect and mysql_query were being called.
Furthermore - being a function in it's own right - I would've expected that phpinfo itself would've been blocked, but I was able to access it via the web just fine.
I ran this test on my single-user development machine, so I know my php.ini isn't being over-ridden somehow, nor have I accidentally got more than one 'disable_functions' definition in my ini file causing my list to be ignored ... and in any case the disabled list is correctly displayed in phpinfo.
So now I wonder whether this 'disable_functions' ini setting even works at all, it doesn't look like it based on my tests!
Any thoughts or insights would be much appreciated ...