The directory for all configuration files is:
config/settings.php is the main configuration file and combines the default settings with environment specific settings.
The configuration files are loaded in this order:
config/defaults.phpwith all default settings.
config/../../env.phpand include the environment specific configuration file, e.g.
If the constant
APP_ENVis defined, load the environment specific file. This is only used to apply the phpunit test settings.
You may be familiar with the concept of
.env files. However,
.env files should be considered as harmful because:
- People could put the file
.envfile into a public accessible directory.
- A public accessible
.envfile can be indexed by search engines.
.envfiles are not native and much slower then PHP files.
.envfiles are not intended to run on a production server. Many developers do it anyway.
vlucas/phpdotenvis a unnecessary dependency and buggy in multi-thread PHP (read more)
Even environment variables should be considering as harmful because:
- A third-party server tool or any system-service could send a crash-report with all environment variables to foreign servers.
- Any other tool on your server could read the environment variables.
- Incorrectly configured servers could log the environment variables or even send them as error message to the browser.
putenv()is strongly discurraged due to the fact that these functions are not thread safe.
The method of getting these values is using the
$_SERVER super-global not the
For security (and performance) reasons, all secret environment variables are better stored in a file called:
Create a copy of the file
config/env.example.php and rename it to
env.php file is generally kept out of version control since it can contain sensitive API keys and passwords.
Never commit the env.php file to the version control system!
Add the file
env.php to your
.gitignore, so that you don’t accidentally commit it.
You also can (and should) use the
env.php file on your testing, staging and production server. In this case store the server specific
env.php file one directory above the project root directory. Storing the
env.php file above the project directory simplifies deployment and ensures that the configuration is always in the right place and can be loaded at any time.