.env Files & Environment Variables
Also Known As
.env file
environment variables PHP
vlucas/phpdotenv
TL;DR
Storing configuration in environment variables (not source code), loaded from a .env file in development via libraries like vlucas/phpdotenv.
Explanation
The Twelve-Factor App methodology mandates configuration in the environment — database credentials, API keys, and environment-specific settings should never be hardcoded or committed to version control. In development, vlucas/phpdotenv loads a .env file into $_ENV and getenv(). In production, variables are set at the infrastructure level (Docker, Kubernetes secrets, AWS Parameter Store). Always add .env to .gitignore; commit a .env.example with placeholder values. Access variables via $_ENV['KEY'] or getenv('KEY') — prefer $_ENV as it's not affected by php.ini's variables_order.
Watch Out
⚠ Never commit .env to version control — even a private repository. Use .env.example for documentation and secrets managers for production.
Common Misconception
✗ Committing a .env file to the repository is fine if credentials are for a dev environment. .env files in version control establish a pattern that leads to production credentials being committed accidentally. Use .env.example with dummy values and keep real .env files out of git.
Why It Matters
Storing configuration in environment variables (twelve-factor app principle) keeps credentials out of source code and allows the same codebase to run in different environments without modification.
Common Mistakes
- Committing the .env file to version control — the whole point is to keep secrets out of the repo.
- Not providing a .env.example with all required keys — new developers don't know what to configure.
- Loading .env in production when environment variables are already set by the server — causes double-loading conflicts.
- Using $_ENV instead of getenv() or a dotenv library — $_ENV is not populated in all PHP configurations.
Code Examples
✗ Vulnerable
// .env committed to git — credentials exposed:
# .gitignore is missing .env entry
DB_PASSWORD=supersecret123
API_KEY=sk-live-abc123
# Anyone with repo access has these credentials
✓ Fixed
# .env — local secrets, NEVER committed to git
APP_ENV=production
DB_HOST=db.internal
DB_PASS=super_secret_password
STRIPE_SECRET=sk_live_...
# .env.example — template committed to git, no real secrets
APP_ENV=local
DB_HOST=localhost
DB_PASS=
STRIPE_SECRET=
# PHP — vlucas/phpdotenv
\$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
\$dotenv->load();
\$dotenv->required(['DB_HOST', 'DB_PASS', 'APP_KEY']); // fail fast if missing
\$dbPass = \$_ENV['DB_PASS'];
# In production: set env vars at server/container level — don't deploy .env filesTags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
130
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 1
No pings yesterday
Perplexity 43
Amazonbot 18
Google 10
ChatGPT 6
Unknown AI 5
Ahrefs 3
Majestic 2
SEMrush 2
Also referenced
How they use it
crawler 85
crawler_json 3
pre-tracking 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: Low
⚡ Quick Fix
Use vlucas/phpdotenv to load .env in development; ensure .env is in .gitignore and .env.example documents all required keys without values
📦 Applies To
PHP 5.6+
web
cli
laravel
symfony
🔗 Prerequisites
🔍 Detection Hints
.env file committed to git; missing .env.example; API keys in PHP config files instead of env vars
Auto-detectable:
✓ Yes
trufflehog
gitleaks
semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High
False Positives: Low
✗ Manual fix
Fix: Medium
Context: File
CWE-312
CWE-526