About the Author

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

Damien Seguy Catalogues phpinfo() Statistics

Sat, 04 Nov 2006 at 00:58:13 GMT
6 Comments
References

As I mentioned earlier, Damien Seguy has been compiling phpinfo() statistics. He just sent me an email with an update on his progress:

I just published the first part of a series of articles about PHP directives configurations. By gathering 11,000 phpinfos on the Internet, I managed to get an overview of what values are used when configuring PHP.

Here are some interesting statistics uncovered by his research:

register_globals is enabled 57% of the time.
magic_quotes_gpc is enabled 76% of the time.
display_errors is enabled 80% of the time.

You can find his full article at the following URL:

http://nexen.net/articles/dossier/php_configuration_statitstics.php

About This Post

Damien Seguy Catalogues phpinfo() Statistics was posted on Sat, 04 Nov 2006 at 00:58:13 GMT.

6 Comments

1. Tim B said:

Wouldn't these statistics, although interesting, be rather inaccurate and not give a reliable "picture" of the PHP community.

I would suggest that those who have register_globals, magic_quotes_gpc and display_errors all turned off are also more likely to not have their phpinfo() data exposed, meaning that the majority of results *would* have these enabled.

Anyway... that was my initial thought.
Sat, 04 Nov 2006 at 02:08:38 GMT Link

2. Chris Shiflett said:

As I mentioned in the earlier post, Adam said the same thing. It's certainly a valid point.

Damien's response was that the phpinfo() stats lined up with his version stats (obtained using an entirely different methodology), so that lends some credibility to these results.
Sat, 04 Nov 2006 at 02:23:21 GMT Link

3. streaky said:

Interesting he's not answered the real question that everybody is thinking.. i.e. the version numbers question.

It's the one that stands out as missing from the list to me.
Sat, 11 Nov 2006 at 14:49:38 GMT Link

4. Chris Shiflett said:

You might mean this:

http://shiflett.org/archive/239

As far as I know, he's been keeping up with version stats for quite some time now.
Sat, 11 Nov 2006 at 18:51:12 GMT Link

5. Caydel said:

Thanks for passing this on - reading that has caused me to go turn phpinfo() off on my pages....
Wed, 22 Nov 2006 at 03:06:54 GMT Link

6. Ergo said:

Is it possible to read phpinfo() of any site?

As far as I know it is not possible. So it is not representative extract
Thu, 23 Nov 2006 at 18:07:07 GMT Link

Upcoming Talks

PHP Appalachia

11 - 14 Oct 2008

At Big Bear Lodge, Gatlinburg, Tennessee.

php|works / PyWorks

12 - 14 Nov 2008

At Sheraton Gateway Hotel Atlanta Airport, Atlanta, Georgia.

New Comments

Chris Shiflett wrote:: Miguel, read the post again. PHP 4.4.9 is the final release of PHP 4.; Posted in End of Life for PHP 4
Miguel Palazzo wrote:: I think you're wrong. PHP 4.4 is DEAD, that's so right, because they just released 4.4.9, and you...; Posted in End of Life for PHP 4
alikim wrote:: Hi, Thanks for the article! Tell me please if it's enough to use just session_start(); se...; Posted in
Wayne wrote:: Hi ZX, When taking in data, you should always check to see if magic_quotes is enabled. If it i...; Posted in addslashes() Versus mysql_real_escape_string()
Chris Shiflett wrote:: Thanks, Brandon. I'm glad you liked the talk. Maybe some parts of it would be interesting to some...; Posted in ZendCon