With over 12 years of experience in development and a focus on application security Chris is on a quest to bring his knowledge to the masses, making application security accessible to everyone.
So if you're using the .env files, they just need to be outside of the document root but inside the open_basedir directory/directories.
For example, if your document root is /var/www (for your-site.com) and you have an index.php file in there, having the .env in the same directory would mean they could access your-site.com/.env and access it directly.
The recommendation here is to move the .env someplace PHP can still get to it (defined in open_basedir if set) but not in the publicly accessible location. For example, many PHP applications are following this structure:
/var/www/.env
/var/www/public/index.php
Where the /var/www/public is the DOCUMENT_ROOT but PHP can still reach back up one directory to get the .env.
As far as the other issue ($_SERVER vs $_ENV) I'm not 100% sure why it wouldn't be putting the value in $_ENV but they're going to be the same. I tried doing some research on it and couldn't determine why there might be a difference. It's loading it from the same place though.
So if you're using the .env files, they just need to be outside of the document root but inside the open_basedir directory/directories.
For example, if your document root is /var/www (for your-site.com) and you have an index.php file in there, having the .env in the same directory would mean they could access your-site.com/.env and access it directly.
The recommendation here is to move the .env someplace PHP can still get to it (defined in open_basedir if set) but not in the publicly accessible location. For example, many PHP applications are following this structure:
/var/www/.env
/var/www/public/index.php
Where the /var/www/public is the DOCUMENT_ROOT but PHP can still reach back up one directory to get the .env.
As far as the other issue ($_SERVER vs $_ENV) I'm not 100% sure why it wouldn't be putting the value in $_ENV but they're going to be the same. I tried doing some research on it and couldn't determine why there might be a difference. It's loading it from the same place though.
Thanks for the follow up didn't see the tie between DOCUMENT_ROOT and the public portion that all makes sense now.
I will keep looking into the other problem.
Great content though!