Config vars in apache environment vars
https://stackoverflow.com/questions/10988185
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm running a few different PHP shopping carts at work and we're trying to get the various config files under version control. Up to this point we've just been ignoring them in git because, of course, we don't want production level passwords to be available to just anyone. Besides, most of us developers are running local installs with unique information.
While talking to our sysadmin about the problem I suddenly remember that we could set environment variables in the apache vhost block and access them from PHP, like so:
Apache: SetEnv db_user "username"
PHP: <?php $config['db']['user'] = $_ENV['db_user'];
It seems like it would work without a problem, but I've never seen it done like this before. Are there any implications (technical, security, etc) or limitations in handling authentication info this way?
Solution
This is quite close to something that is proposed in the PHP Security Guide: Databases and SQL.
They note that one potential issue is a risk of exposing the variable via a call to "something like phpinfo() or print_r($_SERVER)." So the question is whether you can control that risk - and whether you trust everyone who gets access to that vhost (in your context, the answer to that is likely to be "yes").
They also propose adding an extra level of redirection by putting these credentials in a file readable only by root - which seems reasonable in deployment, if slightly paranoid in a development context.
