Sometimes the most crucial, basic piece of information can seem so hard to find. For example, suppose you wanted to find out what version of PHP your remote webhost provides to shared hosting users? What would you do? [...] For development purposes it can be helpful having phpinfo() available, but on a live shared host, you may discover as I did recently that it is no longer available; your host may have disabled it.

She includes three other ways you can use to get the version of PHP you're working with:

• If you have command line access, running "php -v"
• Using the phpversion function (or PHP_VERSION constant)
• Appending a certain value to the URL (only works in some cases)

Welcome to part 3 of my 10 part series on PHP. In the first two parts I introduced you to the language and to what software you needed to run it. In this episode we will look at some simple PHP syntax, and we'll write a couple of small scripts to get our feet wet, and get a feel for the language.

Their first script mixes HTML and PHP together to make a "Hello World" web page. They also give the example of a phpinfo function call to get the settings for the current PHP installation.

His idea is that, with this setting on, the PHP installation would:

• disable display errors
• disable phpinfo()
• turn expose_php off
• make max_execution_time/memory_limit reasonable
• and possibly a few others that some developers forget to set correctly

[The] extra META TAG to the HTML output of phpinfo() that forbids indexing and archiving by robots. For fairness reasons following the embedded links is still allowed to robots, because a lot of projects [...] to get at least a few backlinks for their work, that might result in a better search engine positioning.

The patch can be downloaded from their site.

I just published the second part of the serie about PHP configurations. This part focuses on three aspects of PHP: PHP extensions, PHP streams, and disabled functions.

You can find the statistics themselves here and the latest configuration statistics here. It's interesting to see the drop-off when it comes to the various modules that are installed ("php, ftp and http are the most common. Besides them, tough luck.") and to see the somewhat more gradual curve of which functions are disabled - with system() topping out the list (with good reason).

The problem with finding a reliable pool of such pages is that basic search often contaisn many blog, forum, bugs.php.net and alike entries which area copy & paste outputs from users. This maybe fine in some instances, but what if you just want the real phpinfo() pages. The answer is surprisingly simple.

His solution? To search for an element always in the page, but unique to it - usually the term you're looking for (like his suggestion of "Zend Scripting Language Engine"). He links to two result sets, one from Google and the other from Yahoo.

Besides the phpinfo information, Ilia also mentions the other handy data you can find with similar searches to major search engines like Apache header information.

This past Thursday, I attended the DC PHP Conference. Since I was only there for a day, I'm sure I missed a lot, but I did manage to do some of the things on my list.

Talks hhe mentions were Mike Naberezny's look at Getting Started with the Zend Framework and Eli White's High Volume PHP & MySQL Scaling Techniques talk. He also mentions meeting David Recordon from VeriSign and some work that Damien Seguy on tracking statistics on open phpinfo pages (about half still have register globals on!).

The errors are:

• A problem with copy() that circumvents the "Safe Mode" for users who are logged in at the system.
• A possible issue with tempname() that could ignore the "Safe Mode" setting also
• a third leak that could lead to a web server process crashing (recusive function calls)
• and an XSS attack issue with the standard phpinfo() page

The 4null4.de post has a summary of the issues, but the original article from heise has the complete info (as well as links to examples of the problems as documented on SecurityReason.com).