Config.php

if (ENVIRONMENT == 'development') { error_reporting(E_ALL); ini_set('display_errors', 1); } else { error_reporting(0); ini_set('display_errors', 0); ini_set('log_errors', 1); ini_set('error_log', '/path/to/php-error.log'); }

public_html/ ├── index.php ├── about.php ├── config.php <-- DANGER! └── css/ Even though PHP files are normally parsed by the server, misconfigurations happen. If Apache/PHP ever fails (a temporary glitch, a .htaccess override, or a module crash), the server might serve the config.php file as plain text . A visitor would simply visit https://example.com/config.php and see your database password, API keys, and salts—unencrypted, in plain view. The Fix: Protection via Placement Never store config.php inside the public web root. Place it above the web root. config.php

Modern PHP development (especially with frameworks like Laravel, Symfony, or Laminas) has largely moved toward using a .env file. How it works: You create a .env file (never committed to Git) that looks like this: A visitor would simply visit https://example

// wp-config.php (simplified) define('DB_NAME', 'database_name'); define('DB_USER', 'database_user'); define('DB_PASSWORD', 'password'); define('DB_HOST', 'localhost'); define('WP_DEBUG', false); $table_prefix = 'wp_'; WordPress adds a clever security trick: wp-config.php can be moved one directory above the web root, and WordPress will still find it. Even experienced developers run into these issues: 1. "Headers already sent" errors If you have any whitespace or HTML before the opening <?php tag in config.php , sessions and cookies will break. Always ensure no BOM, no spaces, no nothing before <?php . And omit the closing ?> tag entirely—it's optional and dangerous. 2. Path issues using relative includes If index.php includes config.php , and config.php tries to include another file using a relative path, you'll get "file not found." Always use __DIR__ or absolute paths. 12 // for bcrypt ]

In this article, we will dissect the config.php file from top to bottom. We will explore why it exists, how to structure it securely, the common pitfalls that lead to massive security breaches, and modern best practices that have evolved beyond the humble config.php . In the simplest terms, config.php is a centralized PHP script that stores configuration directives for an application. Instead of hardcoding database passwords, timezones, or error-reporting levels into every single page, developers place these values into a single file. Every other script in the application then includes or requires this file at runtime.

/home/user/ ├── public_html/ <-- Web root (DocumentRoot) │ ├── index.php │ └── style.css └── includes/ └── config.php <-- Inaccessible via web browser Your index.php then includes it using an absolute path:

// 5. Security & Hashing $config['security'] = [ 'salt' => 'a-very-long-random-string-here', 'hash_cost' => 12 // for bcrypt ];