I wrote a tool a while ago for testing network based timing attacks. Getting the measurement right is really hard, just taking the average doesn't generally work while the 10th percentile measurement is much better. I did find PHP fairly hard to exploit though, but I was trying over a network which much more difficult than locally.
You'd think so! But that's not what I found, I found the minimum, max, and average were all crap. Even the median wasn't very good compared to the 10th percentile (which I got the idea from for here http://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf)
The code for the tool (and a presentation pdf) is here if you're interested: https://github.com/aj-code/TimingIntrusionTool5000