CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Environment Variables

linux PHP 5.0+ Intermediate
debt(d9/e3/b5/t9)
d9 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'silent in production until users hit it' (d9). The detection_hints indicate automated detection is 'no', and tools listed (phpinfo, php-fpm-status) require manual inspection. The symptom — getenv() silently returning empty — only surfaces at runtime when application logic fails, with no compiler, linter, or static analysis catching the missing clear_env=no in FPM pool config. Users hit a mysterious empty-value bug in production with no warnings.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix describes adding env[APP_ENV] = production lines to the PHP-FPM pool config or setting vars in /etc/environment — a small targeted change in one or two config files. However a restart is also required, and .env/git hygiene issues may need addressing across repos, nudging slightly above e1 but remaining localised.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). The applies_to covers both web and CLI contexts, and the tags span linux, php, devops, and security — a broad cross-cutting concern. Every deployment, environment promotion, and secret rotation must account for how env vars flow through FPM pool config. It slows multiple work streams (devops, backend dev, security review) without being fully architectural.

t9 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'catastrophic trap' (t9). The misconception field explicitly names the trap: developers universally assume PHP-FPM inherits shell environment variables as other runtimes do, but clear_env=yes is the default, silently discarding all system env vars. The 'obvious' approach — setting vars in shell/systemd and calling getenv() — always returns empty in FPM. This directly contradicts behaviour in CLI PHP, Apache mod_php, and virtually every other runtime, making it a maximum-severity cognitive trap.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-07 · reviewed by human

Also Known As

env vars getenv .env process environment

TL;DR

Key-value pairs inherited by child processes — the standard way to pass configuration, credentials, and runtime settings to PHP applications without hardcoding.

Explanation

Environment variables are set in the shell (export VAR=value), in process supervisors (systemd Environment=, Supervisor environment=), in Docker (ENV, --env), or in .env files loaded at application startup. In PHP: getenv('VAR'), $_ENV['VAR'], or $_SERVER['VAR']. PHP-FPM does not automatically inherit the server environment — use env[VAR] = $VAR in the FPM pool config or clear_env=no. Variables are process-scoped: a child process cannot modify the parent's environment.

Common Misconception

PHP-FPM automatically inherits the server's environment variables — PHP-FPM clears the environment by default (clear_env=yes); vars must be explicitly passed in the pool config.

Why It Matters

Environment variables are the twelve-factor standard for configuration — understanding how they flow from OS to PHP-FPM to application prevents the common 'getenv() returns empty' mystery.

Common Mistakes

  • clear_env=yes (default) in PHP-FPM — getenv() returns empty for all system env vars.
  • Storing secrets in .env files committed to git — .env must be in .gitignore.
  • Using putenv() to set vars in PHP — only affects the current process, not parent or sibling processes.
  • Not restarting PHP-FPM after changing environment variables — processes inherit env at startup only.

Code Examples

✗ Vulnerable 
; PHP-FPM default — clears all environment:
; /etc/php-fpm.d/www.conf:
; clear_env = yes  (default)

; PHP code:
echo getenv('DB_HOST'); // Returns false/empty!
// Mystery: var is set in /etc/environment but FPM cleared it
✓ Fixed 
; Option 1 — explicit pass-through in FPM pool:
clear_env = no  ; Pass all environment vars through

; Option 2 — explicit declarations (more secure):
env[DB_HOST] = $DB_HOST
env[DB_PASS] = $DB_PASS
env[APP_ENV] = production

; PHP:
$host = getenv('DB_HOST');  // Now works
$host = $_ENV['DB_HOST'];   // Also works
$host = $_SERVER['DB_HOST']; // Also works
Added 16 Mar 2026
Edited 5 Apr 2026
Views 73

Curated in Warsaw under one editorial standard. 1,463 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 2 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 1 ping M 0 pings T 1 ping W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 3 pings W
Agents 3
Amazonbot 1 ChatGPT 1 Perplexity 1
No pings yesterday
Amazonbot 15 ChatGPT 12 Perplexity 11 Google 6 SEMrush 4 Unknown AI 3 Ahrefs 3 Bing 2 Majestic 1
Also referenced
.env Files & Environment Variables 108 PHP-FPM 41 Hardcoded Credentials 37 Secrets Management 31
How they use it
crawler 53 crawler_json 3 pre-tracking 1
Related categories
php 9.3k security 5.5k linux 670
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Set PHP environment variables in the PHP-FPM pool config (env[APP_ENV] = production) or system-level via /etc/environment — they're inherited by all PHP-FPM child processes automatically
📦 Applies To
PHP 5.0+ any web cli
🔗 Prerequisites
🔍 Detection Hints
Environment variables not available in PHP-FPM when set only in shell; missing clear_env=no in FPM pool config
Auto-detectable: ✗ No phpinfo php-fpm-status
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: File
CWE-526 CWE-312
✓ schema.org compliant