A little while ago I wrote about using environment variables to store various sensitive information in your application without revealing it in source control.
As always, there is more that one way to do anything, so today I wanted to write about CakePHP’s built-in functions that can be used to manage application specific settings.
Most (all?) CakePHP developers should be familiar with the app/config/core.php
file, which contains the core configuration for the application. If nothing else, you would be familiar with changing the salt
and debug
settings in this file as part of your CakePHP install/deployment
<?php
Configure::write('debug', 2);
Configure::write('Security.salt', 'sdasdwrwsert456456456tfdfdgdfgdfgxcx');
However, you can also create your own versions of a configuration file with all your app specific settings.
Create a custom config
First off, create a file in the app/config
directory named however you want.
Example: myappsettings.php
Now in this file you can add any settings you want using the $config
array
<?php
$config['MyApp']['mysql_user'] = 'bob';
$config['MyApp']['mysql_pass'] = 'foobar';
// etc etc
Next up, you need to tell your app to load this new config file. I tend to do it in the bootstrap.php
to ensure it is loaded throughout the app (although if there is a better/more advisable place be sure to let me know)
<?php
// app/config/bootstrap.php
// snip
Configure::load('my_app_settings');
Now anywhere in your app you have access to your custom settings
<?php
$mysqlUser = Configure::read('MyApp.mysql_user');
Protect your credentials
The last thing you want is your third party API credentials, or database logins being made available to anyone via source control. In general, best practice states you shouldn’t store any security information in your source control.
Well this provides a perfect solution. Create a copy of the my_app_settings.php
called my_app_settings.example.php
Ensure that all settings your app needs are included, but make sure the values are zeroed out and commented to ensure others know what is required.
<?php
$config['MyApp']['mysql_user'] = ''; // this is the user for the mysql database
$config['MyApp']['mysql_pass'] = ''; // this is the password for the mysql database
// etc etc
Then add the example to your source control so other developers know how to configure the application, but make sure your live version is added to the source control ignore list. This simple setup should prevent any sensitive information accidentally leaking out.
Deployment
Having done the above, you now find that deploying leads to a broken application as there are no app settings available.
This can be fixed by storing a copy of the settings file specific to the environment the deploy targets which is copied into the app/config
path during the deploy
If you are using Capistrano for example, this can be done by storing a copy of the settings file in the shared folder, then symlinking or outright copying it over to the current version during the deploy.