re: Keeping Credentials Secure in PHP VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Great post found another version of it from PHP Round Table podcast. Couple questions if you do not mind. When placing the .env files outside the ...
 

So if you're using the .env files, they just need to be outside of the document root but inside the open_basedir directory/directories.

For example, if your document root is /var/www (for your-site.com) and you have an index.php file in there, having the .env in the same directory would mean they could access your-site.com/.env and access it directly.

The recommendation here is to move the .env someplace PHP can still get to it (defined in open_basedir if set) but not in the publicly accessible location. For example, many PHP applications are following this structure:

/var/www/.env
/var/www/public/index.php

Where the /var/www/public is the DOCUMENT_ROOT but PHP can still reach back up one directory to get the .env.

As far as the other issue ($_SERVER vs $_ENV) I'm not 100% sure why it wouldn't be putting the value in $_ENV but they're going to be the same. I tried doing some research on it and couldn't determine why there might be a difference. It's loading it from the same place though.

 

Thanks for the follow up didn't see the tie between DOCUMENT_ROOT and the public portion that all makes sense now.

I will keep looking into the other problem.

Great content though!

code of conduct - report abuse