DEV Community


Discussion on: Keeping Credentials Secure in PHP

nerdlyist profile image
Coury Ryan Richards

Great post found another version of it from PHP Round Table podcast. Couple questions if you do not mind.

When placing the .env files outside the root of the app and setting open_basedir how can you access those files or do you move them back into the root?

Is there any additional setup to get SetEnv to work. For whatever reason it is setting it in the $_SERVER global but not in the $_ENV.

enygma profile image
Chris Cornutt Author

So if you're using the .env files, they just need to be outside of the document root but inside the open_basedir directory/directories.

For example, if your document root is /var/www (for and you have an index.php file in there, having the .env in the same directory would mean they could access and access it directly.

The recommendation here is to move the .env someplace PHP can still get to it (defined in open_basedir if set) but not in the publicly accessible location. For example, many PHP applications are following this structure:


Where the /var/www/public is the DOCUMENT_ROOT but PHP can still reach back up one directory to get the .env.

As far as the other issue ($_SERVER vs $_ENV) I'm not 100% sure why it wouldn't be putting the value in $_ENV but they're going to be the same. I tried doing some research on it and couldn't determine why there might be a difference. It's loading it from the same place though.

nerdlyist profile image
Coury Ryan Richards

Thanks for the follow up didn't see the tie between DOCUMENT_ROOT and the public portion that all makes sense now.

I will keep looking into the other problem.

Great content though!