A Full Guide to Using PHP Configuration Files for Best Practice

Herbert · February 3, 2024, 11:04am

In this article, we will cover how to set up a secure PHP configuration file. This article will be more helpful for custom coders.

So what is a PHP configuration file?

Using PHP as a configuration file is a method to pass configuration information to applications. They are used to store sensitive information like API keys, database connection strings, and other configuration details outside of your codebase. The idea is to separate configuration from code, making it easier to manage and more secure. This way, instead of hard-coding information directly into your code, you’ll retrieve it using Environment Variables when needed.

Why is hard-coding information considered a bad practice?

Imagine that somehow your codebase was exposed or shared with the public, and everyone who reads it could see your sensitive information.

<?php
$username = 'herbert';
$password = 'password';
$host = 'yourhost';
?>

But when you use a separate PHP configuration file, even if your codebase is exposed or shared, your sensitive information is not in the codebase; instead, it’ll appear as a variable.

<?php
require_once('config.php');


$username = Username;
$password = Password;
$host = Host;
?>

Now let’s see how you can set up and use PHP configuration on InfinityFree.

We are going to create a file called config.php. (You can use whatever name you like)
Inside the config.php file, create constants to store your information.

<?php 

define('Username', 'herbert');
define('Password', 'yourpassword');
define('Host', 'yourhost');

?>

Understanding Constants and Variables, along with some code explanation.

Both Constants and Variables are used to store values, but there is a slight difference between them.

Constants created with define are immutable, meaning their values cannot be changed after they are defined. This is ideal for static values like sensitive credentials. Additionally, Constants are global in scope, meaning they can be accessed from any part of the script.
Regular variables $something = 'value'; are mutable, allowing their values to be changed during the script’s execution. This means you can assign their value to a new one with the same name. While, Variables can be defined with various scopes, including local scopes within functions or classes.

When you need to use the config.php file you need to include the file you are going to use.

require_once ensures that the file is only included once. If the file has already been included, other attempts to include it won’t have any effect.

With the information above, you now have the knowledge to use PHP configuration files to make your coding more efficient. However, remember that this is only a layer of security when securing your web application. The more you explore, the more you find out about things, which will help you secure your application.

Thank you for the precious time you’ve put into reading this. Have a wonderful day!

Frank419 · February 3, 2024, 11:22am

I personally prefer require_once, so if something nasty happens, it just stops there, instead of continue to execute the rest of the code and spam a lot of errors with sensitive informations.

Herbert · February 3, 2024, 4:24pm

Yes indeed. But it really depends on whether the user wants to use ‘require_once’ or include_once. From my perspective, I think include_once is the best option for using a config for a database. Like I said it’s just a personal preference.

( require_once is preventing script execution, and include_once only shows a warning and continues to execute the script.)

Greenreader9 · February 3, 2024, 4:38pm

I would disagree. Because if the file is not found, all the DB execution statements will fail. If you stop execution earlier in the file, your error messages are going to be a lot more helpful.

Herbert · February 3, 2024, 4:44pm

I respect your perspective, and it’s true that using include_once allows for more flexibility in error handling. But my preference for include_once is because I tend to handle errors explicitly within the code and found other developers too find it good. Some may say why you should handle errors explicitly when built-in can do it blah blah, but it’s totally fine to handle errors explicitly.

Greenreader9 · February 3, 2024, 4:47pm

And that is fine. However, in the code that is shared in this guide (Which is what this discussion is about), you don’t have any error handling. In this case, its better to use require because in the event of an error, a more helpful message will be returned.

Herbert · February 3, 2024, 4:54pm

That’s true, I should’ve added some error handling, but I want this to be as simple as for others, so I made the changes to use require_once