I don’t have a whole lot of experience with PHP, only having made relatively simple contact forms. However, this changed when I needed to make a HTML form that saved to a MySQL database. Setting up the form was easy enough, however I needed a way to hide the login details for the server in the PHP script that was launched.

For some reason, it took me a lot of time to figure out how to use the .env file with PHP. I don’t have much experience with .env files, only having used it once or twice with Travis when testing Python applications dependent on APIs. For this reason, and my inexperience with PHP, it took me quite a while to figure out how to connect my .env file to my PHP script.

Firstly, in my .env file I have the following. These are the details that allow the PHP script to connect to the server.

SERVER="ser.ver.ip"
USER="server_login_name"
PASS="password"
DBNAME="nameofdatabase"

I wanted to be able to set the SERVER, USER, etc as a variable in PHP. To do this, I used Dotenv from symfony. Firstly, I had to install composer on my project by using:

curl -s http://getcomposer.org/installer | php

Then, I needed to install Dotenv via composer into my project.

composer require --dev symfony/dotenv

This allowed me to load the dotenv files:

use Symfony\Component\Dotenv\Dotenv;

$dotenv = new Dotenv();
$dotenv->load(__DIR__.'/.env');

However, something I forgot to do was to enable the class auto loading mechanism that is provided by Composer. So, that goes on top of the dotenv loading code so it loads first.

require __DIR__ . '/vendor/autoload.php';

This got the .env file linked to my PHP file, and let me declare my .env variables in PHP.

$servername = getenv('SERVER');
$username = getenv('USER');
$password = getenv('PASS');
$dbname = getenv('DBNAME');

I could then refer to them in my code, in order to login into the server.

$conn = new mysqli($servername, $username, $password, $dbname);

It took me a while to figure this out. I thought that PHP would automatically link the two files, but that clearly wasn’t true. Luckily, dotenv provided a quick and easy solution to the issue. I also wanted to secure .env and prevent people from being able to open it. Therefore, I went into .htaccess, and prevented people from looking at .htaccess and .env.

# Deny access to .htaccess
<Files .htaccess>
    Order allow,deny
    Deny from all
</Files>

# Deny access to .env
<Files .env>
	Order allow,deny
	Deny from all
</Files>

As this would lead the user to see a 403 page, I added a custom one in order to increase user retention, and to make the site look neater. I keep all my error pages in /errordocs, as I have a few others for things like 404.

ErrorDocument 403 /errordocs/403.html

I also decided to disable the ability to get a directory listing.

# Disable directory browsing
Options -Indexes

This all made sure that people couldn’t pry at the .env files and gain access to the server. I also made sure that the form itself was not vulnerable to SQL injections, and I did this by not directly using the INSERT statement. I also made sure that users could not put in semi colons or anything that would not be contained in a name.