A little while ago I wrote about using environment variables to store various sensitive information in your application without revealing it in source control.
As always, there is more that one way to do anything, so today I wanted to write about CakePHP's built-in functions that can be used to manage application specific settings.
Most (all?) CakePHP developers should be familiar with the
app/config/core.php file, which contains the core configuration for the application. If nothing else, you would be familiar with changing the
debug settings in this file as part of your CakePHP install/deployment
<?php Configure::write('debug', 2); Configure::write('Security.salt', 'sdasdwrwsert456456456tfdfdgdfgdfgxcx');
However, you can also create your own versions of a configuration file with all your app specific settings.
First off, create a file in the
app/config directory named however you want.
Now in this file you can add any settings you want using the
<?php $config['MyApp']['mysql_user'] = 'bob'; $config['MyApp']['mysql_pass'] = 'foobar'; // etc etc
Next up, you need to tell your app to load this new config file. I tend to do it in the
bootstrap.php to ensure it is loaded throughout the app (although if there is a better/more advisable place be sure to let me know)
<?php // app/config/bootstrap.php // snip Configure::load('my_app_settings');
Now anywhere in your app you have access to your custom settings
<?php $mysqlUser = Configure::read('MyApp.mysql_user');
The last thing you want is your third party API credentials, or database logins being made available to anyone via source control. In general, best practice states you shouldn't store any security information in your source control.
Well this provides a perfect solution. Create a copy of the
Ensure that all settings your app needs are included, but make sure the values are zeroed out and commented to ensure others know what is required.
<?php $config['MyApp']['mysql_user'] = ''; // this is the user for the mysql database $config['MyApp']['mysql_pass'] = ''; // this is the password for the mysql database // etc etc
Then add the example to your source control so other developers know how to configure the application, but make sure your live version is added to the source control ignore list. This simple setup should prevent any sensitive information accidentally leaking out.
Having done the above, you now find that deploying leads to a broken application as there are no app settings available.
This can be fixed by storing a copy of the settings file specific to the environment the deploy targets which is copied into the
app/config path during the deploy
If you are using Capistrano for example, this can be done by storing a copy of the settings file in the shared folder, then symlinking or outright copying it over to the current version during the deploy.