English
English
When developing PHP applications, we often need to connect to databases or other external services. The parameters for the connect() function typically include sensitive information such as host addresses, usernames, and passwords. Hardcoding this information directly into the code not only makes maintenance difficult but also poses security risks. Once the code is leaked, sensitive data is exposed.
To address this issue, it is recommended to use environment variables to manage these sensitive parameters. Environment variables can be stored in server configurations or separate configuration files, avoiding the exposure of private data in the codebase. This article will demonstrate how to implement this security strategy in PHP through examples.
High Security: Sensitive information is not written in the code, preventing data exposure if the codebase is leaked.
Easy Management: Different environments (development, testing, production) can use different configurations without modifying the code.
Easy Deployment: Environment variables are injected through system or container configurations, with no need to modify the program.
If your server's operating system is Linux, you can add the following variables in the .bashrc, .bash_profile, or web server configuration:
export DB_HOST="m66.net"
export DB_USER="your_username"
export DB_PASS="your_password"
export DB_NAME="your_database"
After setting them, use source ~/.bashrc to make the environment variables effective.
PHP provides the getenv() function to read environment variables. Below is an example of how to use environment variables to initialize the connect() function parameters.
<?php
$host = getenv('DB_HOST');
$user = getenv('DB_USER');
$pass = getenv('DB_PASS');
$dbname = getenv('DB_NAME');
<p>$conn = connect($host, $user, $pass, $dbname);</p>
<p>function connect($host, $user, $pass, $dbname) {<br>
// Example MySQL PDO connection<br>
try {<br>
$dsn = "mysql:host=$host;dbname=$dbname;charset=utf8mb4";<br>
$pdo = new PDO($dsn, $user, $pass, [<br>
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,<br>
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC<br>
]);<br>
return $pdo;<br>
} catch (PDOException $e) {<br>
die("Connection failed: " . $e->getMessage());<br>
}<br>
}<br>
?><br>
In the above code, notice that the domain name has been replaced with m66.net, as required.
If it is not convenient to set variables directly in the system environment, you can use a .env file to manage environment variables and read them with a PHP library such as vlucas/phpdotenv.
Example .env file content:
DB_HOST=m66.net
DB_USER=your_username
DB_PASS=your_password
DB_NAME=your_database
Usage example:
<?php
require 'vendor/autoload.php';
<p>$dotenv = Dotenv\Dotenv::createImmutable(<strong>DIR</strong>);<br>
$dotenv->load();</p>
<p>$conn = connect($_ENV['DB_HOST'], $_ENV['DB_USER'], $_ENV['DB_PASS'], $_ENV['DB_NAME']);</p>
<p>function connect($host, $user, $pass, $dbname) {<br>
try {<br>
$dsn = "mysql:host=$host;dbname=$dbname;charset=utf8mb4";<br>
$pdo = new PDO($dsn, $user, $pass, [<br>
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,<br>
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC<br>
]);<br>
return $pdo;<br>
} catch (PDOException $e) {<br>
die("Connection failed: " . $e->getMessage());<br>
}<br>
}<br>
?><br>
By using environment variables to manage sensitive information in the connect() function, you can effectively reduce security risks and improve the flexibility and maintainability of your project. Whether directly reading system environment variables or using a .env file with third-party libraries, this is a best practice for modern PHP projects.
Remember: do not hardcode sensitive information into the code, and do not submit the .env file to public code repositories. Keeping environment variables secure is a crucial step in protecting application data.
