Settings file depends on superglobal $_ENV about slim4-skeleton HOT 3 CLOSED

Hi @DigiLive

Please note: Your example code contains a security issue, because somebody could change the environment from outside with a query string like https://www.example.com/?APP_ENV=development.

$settings['environment'] = $_GET['APP_ENV'] ?? getenv('APP_ENV');

My objective is to use a thread safe method to get my env vars. getenv is not thread-safe and thus I try not to use it anymore.
The discussion about that feature seems to be summarized in this statement: vlucas/phpdotenv#446 (comment).

Indeed, the population of superglobals like $_SERVER and $_ENV can depend on the server's configuration (variables_order in php.ini). To make it "really" work a code like this should work. This example uses getenv only as "fallback" when nothing works.

So simplified to our use case it should work like this:

$environment =  $_SERVER['APP_ENV'] ?? $_ENV['APP_ENV'] ?? getenv('APP_ENV');

from slim4-skeleton.

Of course it was supposed to be $_ENV.

I have absolutely no idea why I placed $_GET in there. 😳
I guess I was too busy with my mind mastering Slim 4 a bit. Anyway... My bad!

For now I'll be using:
$environment = $_SERVER['APP_ENV'] ?? $_ENV['APP_ENV'] ?? getenv('APP_ENV');
until I safe way presents itself.

Thank you very much.
While I don't have the intention to spam issues, I hope you don't mind my posting many comments and questions while I go trough the code of this skeleton.
I'm determined to understand how it operates.

from slim4-skeleton.

No problem. I like good questions :-)

from slim4-skeleton.