What is the best way to store configuration variables in PHP?

Question

I have considered the following

$mysqlPass = 'password'; // doesn't seem right

$config['mysql_pass'] = 'password'; // seems slightly better

define('MYSQL_PASSWORD', 'password'); // seems dangerous having this data accessible by anything. but it can't be changed via this method

class Config
{
    const static MYSQL_PASSWORD = 'password';
} 

Config::MYSQL_PASSWORD; // don't know if this is a good idea

This is all I have thought of somewhere. I was going to have a require /config.inc.php with all these vars in. What works for you, and what are best practices concerning this?

Update

How would you store your directories variables? These are less of a security concern than a MySQL password, so would CONFIG_APP_ROOT, CONFIG_DIR_BASE etc be fine?

Answer 1

I've always gone with option #2 and just ensure that no one but the owner has ANY sort of access to it. It's the most popular method among PHP applications like Joomla, vBulletin, Gallery, and numerous others.

First method is too messy to me (readability) and the third is WAY too dangerous to do. I've never thought about the Class method, so someone else can provide their input on that one. But I guess it's fine so long as the right access is used on the class' usage.

---

Example..

define('EXAMPLE1', "test1"); // scenario 1
$example2 = "test2"; // scenario 2

function DealWithUserInput($input)
{
   return eval($input);
}

Now this example of code is really dumb, but just an example. Consider what could be returned by the function depending on which scenario the user could try to use in their input.

Scenario 2 would only cause an issue if you made it a global within the function. Otherwise it's out of scope and unreachable.

Answer 2

I generally use the second method... When handling database connections I generally open a connection at the beginning of the request, then close it at the end. I have a function that establishes the connection, then removes the username/password from the global array (with the unset() function), This prevents other parts of the system from accessing the "sensitive" mysql connection data.

Answer 3

I'm also with option 2 for most config values. If you were going to implement the Class then I would tie the specific values to the Class that it affects instead of a general config Class.

In your example, your Class would be for database connections and an instance would save the password, db_name, etc. This would encapsulate the data properly and also provide an easy means to create multiple connections if that was ever needed.

Answer 4

I'd say it also depends of userbase a bit. If configurations has to be very user friendly or user has to have ability to change config via web etc.

I use Zend Config Ini for this and other settings are stored in SQL DB.