7

Note: Configuration are being kept in a PHP file, config.php.

I've seen this done differently, here's a short list of examples (I'm storing DB info in these examples):

Constants: global, readonly

define('DB_USER','user12');
define('DB_PASS','21user');

Using GLOBALS array: global, changeable, repetitive, mixed with other globals

$GLOBALS['DB_USER']='user12';
$GLOBALS['DB_PASS']='21user';

Using a non-global array but raised globaly: possibly worse than the 2nd option

$config=array(); ...

$config['DB_USER']='user12';
$config['DB_PASS']='21user';

... global $config;
    mysql_connect('localhost',$config['DB_USER'],$config['DB_PASS']);

Defining class properties: (global, enumerable)

class Config {
    public $DB_USER='user12';
    public $DB_PASS='21user';
}

Criteria/Options/Features:

  • ease of coding: you wouldn't want to check if the setting exists, or initialize it
  • ease of modification: a non-programmer/layman could easily modify the settings
  • stored in a clean place: not mixed with other variables (can be stored in a sub-array)
  • runtime modification: in some cases, other devs may easily modify existing settings

The configuration might need to be changed some time during the running of the system, so option 1 is already not viable. The third option is not too clean either.

While writing this, I'm getting a big warning on the discussion being subjective and closed. So please keep up to the topic and give valid reasons to your answers.

This is a pretty obvious question, and considering I'm well familiar with different answers, you might ask, why am I making all this fuss? The thing is, I'm developing a framework, and unlike another framework (*ahem* joomla *ahem*) I don't want to pass through their mistake of throwing in a miss-informed solution which ends up having to be changed/re-purposed in the future.

Edit: First of, the location of the config file does not concern me. I'll make sure people can easily change location, if they want to, but this will not be a requirement. First of, cheap webhosts does not allow doing this, secondly, as far as security goes, this is really not a good option. Why? Because, the framework needs to know where the config is. Really, security through obscurity does not work. I'd rather fix all RFI and XSS (for instance) than be paranoid on hiding the config file under several layers.

Improve this question
8
  • 1
    possible duplicate of What is the best way to store configuration variables in PHP? Commented Oct 8, 2010 at 6:22
  • The configuration might need to be changed some time during the running of the system, so option 1 is already not viable - doesn't sound like a very good system! The whole idea of a config file is that you define constants with general site settings like database settings, maybe page titles, etc. What sort of things are you storing that you might want to change? Commented Oct 8, 2010 at 6:23
  • Here's how it works: a PHP class, Database, operates on config constants DB_?, someone might want to write a script to sync two DBs (as an example), but is not able to use the Database class because he can't change the constants....ok this is a pretty lame example, I can't think of a better one. Hope you get the idea tho. Commented Oct 8, 2010 at 6:46
  • Alex, now that I see it, I agree, however the answer to it is not what I am seeking. Suggestions? Commented Oct 8, 2010 at 7:05
  • 1
    @Christian I don't think you know what "security through obscurity" means. Making your config files publicly accessible and hoping people won't stumble across them, that is security through obscurity. Commented Oct 8, 2010 at 14:40

4 Answers 4

Reset to default
4

Hard-coded data may not be an option where people doing reconfiguration are not code-adept. Consider using parse_ini_file().

Improve this answer
Sign up to request clarification or add additional context in comments.

23 Comments

The part about users not being code-adept is a REALLY good argument. However, I'm afraid of using ini files since they're downloadable, and of course, you wouldn't want people downloading a config file which contains your server's FTP details. :-)
Don't use the .ini file extension. Use something else instead. Or save the file in a non-Web-accessible path.
Why not store the main config file outside the exposed htdocs tree? Then use a stub config.php or ini that points to the correct config.
Security sensitive data should never be stored anywhere within docroot, period. I certainly wouldn't use a framework that made me work against it to follow the most basic security tennets. Taking security seriously would be a great way to distinguish yourself from the vast sea of PHP frameworks out there.
@Christian I've never seen a PHP framework that DOES let you store your config files under your doc root. I would absolutely avoid any framework that actually allowed you to do this, it's a terrible, awful idea. Storing config files in docroot is a terrible mistake. You can argue this point, but I have to wonder why you asked the question in the first place if you're going to disagree with the expert feedback you get.
|
2

Why not use Zend_Config? It creates a common interface for configuration options that can be stored in a confing file or a database (with a proper adapter). And it's lightweight; you don't have to bring in the entire Zend framework to use it.

BTW, since you're building a framework, you should keep pollution of the global namespace to a minimum. Something like your 3rd option, and if you're targeting 5.3 exclusively, look at using proper namespaces.

Improve this answer

2 Comments

I won't be using anyone else's framework. Plus, if they have their own config system which is good enough, I'm probably able to replicate it in my code.
+1 to your second paragraph, while at it, I'd like to mention that I'm not targeting 5.3+
1

A bit late, but this might be of interest to you: http://milki.include-once.org/genericplugins/genconfig.html

It provides a simple API to edit PHP config files in-place. It keeps comments and other code in-tact. And it allows for a global $config array/ArrayObject and defining constants. It operates almost automatically if combined with plugin configuration comments. However, it's a lot of code. But maybe worth checking out for the concept. (I'm also using a readable config.php, as it seems the most useful configuration format for me.)

Improve this answer

Comments

0

Put in a common file and include it every where you need. The benefit when you go live or move to your test server you just need to edit just this one file and all configs are changed. Method 2 is better as it allows you to change it.

Remember once you connect to mysql if you need to change the user and pass you have to re-connect

Improve this answer

1 Comment

Sorry, didn't mention I'm already using the single-file-included-everywhere option...will update topic.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.