A little while ago I wrote about using environment variables to store various sensitive information in your application without revealing it in source control.

As always, there is more that one way to do anything, so today I wanted to write about CakePHP’s built-in functions that can be used to manage application specific settings.

Most (all?) CakePHP developers should be familiar with the app/config/core.php file, which contains the core configuration for the application. If nothing else, you would be familiar with changing the salt and debug settings in this file as part of your CakePHP install/deployment

<?php
Configure::write('debug', 2);
Configure::write('Security.salt', 'sdasdwrwsert456456456tfdfdgdfgdfgxcx');

However, you can also create your own versions of a configuration file with all your app specific settings.

Create a custom config

First off, create a file in the app/config directory named however you want.

Example: myappsettings.php

Now in this file you can add any settings you want using the $config array

<?php
$config['MyApp']['mysql_user'] = 'bob';
$config['MyApp']['mysql_pass'] = 'foobar';
// etc etc

Next up, you need to tell your app to load this new config file. I tend to do it in the bootstrap.php to ensure it is loaded throughout the app (although if there is a better/more advisable place be sure to let me know)

<?php
// app/config/bootstrap.php

// snip

Configure::load('my_app_settings');

Now anywhere in your app you have access to your custom settings

<?php
$mysqlUser = Configure::read('MyApp.mysql_user');

Protect your credentials

The last thing you want is your third party API credentials, or database logins being made available to anyone via source control. In general, best practice states you shouldn’t store any security information in your source control.

Well this provides a perfect solution. Create a copy of the my_app_settings.php called my_app_settings.example.php

Ensure that all settings your app needs are included, but make sure the values are zeroed out and commented to ensure others know what is required.

<?php
$config['MyApp']['mysql_user'] = ''; // this is the user for the mysql database
$config['MyApp']['mysql_pass'] = ''; // this is the password for the mysql database
// etc etc

Then add the example to your source control so other developers know how to configure the application, but make sure your live version is added to the source control ignore list. This simple setup should prevent any sensitive information accidentally leaking out.

Deployment

Having done the above, you now find that deploying leads to a broken application as there are no app settings available.

This can be fixed by storing a copy of the settings file specific to the environment the deploy targets which is copied into the app/config path during the deploy

If you are using Capistrano for example, this can be done by storing a copy of the settings file in the shared folder, then symlinking or outright copying it over to the current version during the deploy.