DEV Community


Discussion on: Keeping Credentials Secure in PHP

enygma profile image
Chris Cornutt Author

So if you're using the .env files, they just need to be outside of the document root but inside the open_basedir directory/directories.

For example, if your document root is /var/www (for and you have an index.php file in there, having the .env in the same directory would mean they could access and access it directly.

The recommendation here is to move the .env someplace PHP can still get to it (defined in open_basedir if set) but not in the publicly accessible location. For example, many PHP applications are following this structure:


Where the /var/www/public is the DOCUMENT_ROOT but PHP can still reach back up one directory to get the .env.

As far as the other issue ($_SERVER vs $_ENV) I'm not 100% sure why it wouldn't be putting the value in $_ENV but they're going to be the same. I tried doing some research on it and couldn't determine why there might be a difference. It's loading it from the same place though.

nerdlyist profile image
Coury Ryan Richards

Thanks for the follow up didn't see the tie between DOCUMENT_ROOT and the public portion that all makes sense now.

I will keep looking into the other problem.

Great content though!