How to show disabled PHP functions

Disabled PHP functions are a common reason shell execution, child-process handling, or other runtime features fail in one environment while the same code works elsewhere. Reading the active list quickly separates runtime policy from missing extensions, file permissions, or application bugs.

The active list comes from the effective disable_functions value resolved when a PHP SAPI starts. The directive is INI_SYSTEM only, it accepts a comma-delimited list of internal function names, and PHP 8+ removes disabled internal functions from the function table instead of leaving the older invocation warning behavior in place. Reading the resolved value through php -i or ini_get('disable_functions') is therefore the dependable check.

The result is specific to the runtime that handled the request. CLI, PHP-FPM, and the Apache module can load different configuration trees, and PHP-FPM pool files can append additional disabled functions for one pool. When the failure appears only over the web, a temporary probe requested through the same vhost or pool gives the definitive answer.

Related: How to disable PHP functions

Steps to show disabled PHP functions:

Show which configuration files the current CLI runtime loads.

$ php --ini
Configuration File (php.ini) Path: "/opt/homebrew/etc/php/8.5"
Loaded Configuration File:         "/opt/homebrew/etc/php/8.5/php.ini"
Scan for additional .ini files in: "/opt/homebrew/etc/php/8.5/conf.d"
Additional .ini files parsed:      (none)

The loaded php.ini file and any scanned drop-ins together determine the base disable_functions value for that CLI runtime.

Read the effective disable_functions value from the active CLI runtime.
```
$ php -i | grep '^disable_functions'
disable_functions => no value => no value
```
no value or a blank string means no disabled functions are configured for that SAPI.

Print each disabled function on its own line when the directive is not empty.

$ php -r '$disabled = trim((string) ini_get("disable_functions")); if ($disabled === "") { echo "No disabled functions configured for this PHP SAPI.\n"; } else { foreach (array_map("trim", explode(",", $disabled)) as $function) { if ($function !== "") { echo $function, PHP_EOL; } } }'
No disabled functions configured for this PHP SAPI.

Reading ini_get('disable_functions') is the parser-friendly check on PHP 8+ because disabled internal functions no longer stay callable with the older warning behavior.

Check the PHP-FPM pool files for appended disable_functions values when the served site reports more disabled functions than CLI.
```
$ sudo grep -REn 'php_(admin_)?value\[disable_functions\]' /etc/php/8.3/fpm/pool.d /etc/php-fpm.d 2>/dev/null
/etc/php/8.3/fpm/pool.d/www.conf:491:php_admin_value[disable_functions] = exec,shell_exec,system,passthru,proc_open,popen
```
Replace 8.3 with the installed PHP major.minor version. Debian or Ubuntu hosts usually keep pool files under /etc/php/<version>/fpm/pool.d, while RHEL-family hosts commonly use /etc/php-fpm.d. No output means the sampled pool files do not currently define an extra disable_functions value.

Current PHP-FPM documentation notes that pool settings defining disable_functions append to the base list instead of replacing it.

Related: How to find PHP configuration files

Create a temporary show-disabled-functions.php file in the same document root or virtual host that serves the failing application.

<?php
header('Content-Type: text/plain');
$disabled = trim((string) ini_get('disable_functions'));
echo 'SAPI: ', PHP_SAPI, PHP_EOL;
echo 'php.ini: ', (php_ini_loaded_file() ?: 'none'), PHP_EOL;
echo 'disable_functions: ', ($disabled === '' ? 'no value' : $disabled), PHP_EOL;
?>

Place the file in the exact site, pool, or virtual host that reproduces the problem so the response reflects the active served runtime instead of CLI.

Request the temporary probe through the web server and read the reported SAPI, loaded php.ini file, and disabled list.
```
$ curl -s https://app.example.test/show-disabled-functions.php
SAPI: fpm-fcgi
php.ini: /etc/php/8.3/fpm/php.ini
disable_functions: exec,shell_exec,system,passthru,proc_open,popen
```
This confirms the live web-facing SAPI value and the loaded php.ini path even when the served runtime and CLI use different configuration trees.
Remove the temporary probe after the check.
```
$ rm /var/www/app.example.test/public/show-disabled-functions.php
```
Leaving the file accessible exposes runtime details that should not remain public.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.