storing app settings

cold

storing settings in php files like this:

File : settings.php
<?php
$settings['cacheDir']='cache_directory';
$settings['templateDir']='template directory';
?>

File: index.php
require_once("settings.php");

is is secure enough or should i store those settings in constants instead?
i mean..is there any chance that the user can override those settings when accessing the index.php page from the web?

regards

sid

if coded properly and register_globals is off (if you are using php5 chances are it is), this should be a good way to do it. in fact, even if the globals are on, it shouldnt be a huge issue the way you describe it.

NogDog

If these settings should not be modified in any way while your script is running, it might be a little safer to define them as constants. In this case, "safer" probably isn't so much an issue of preventing malicious changes as it is to prevent inadvertent changes by your code or third-party code you are utilizing.

<?php
define('CACHE_DIR', 'cache_directory');
define('TEMPLATE_DIR', 'template directory');
?>

This has the added benefit that constants are automatically in the global scope.

sid

i agree - both points that nogdog made are the main reasons based on which you (or at least i) should decide whether to use constants or variables.

MarkR

For preference, settings like cache and template directories should be worked out dynamically at runtime.

If you cannot work them out at runtime, then place all the settings that need to be changed between different instances (dev, staging, production etc) into a single file - I think define() constants are probably best.

The reason to calculate things at runtime where possible is that it reduces the chance of it being wrong. Less configuration is always better.

Mark

wmhop

I have a similar question. If I want my script to use one set of variable values when running from my development server and another set of values when running from the production server, how do I get the script to recognize which server it is running from? Would there be any problems with using a conditional statement that checks the value of $_SERVER['SERVER_NAME']?

sid

here is how i do that:
drive W:/ is on my windows development machine the apache root directory. however - you can really choose any server specific information to set your DEVSERV constant. i have settings like config file locations in here f.ex., so they are outside of the http root on the production server, but i can leave them in dir within my project on my dev machine.

define('DEVSERV', ("W:/" == $_SERVER['DOCUMENT_ROOT'] ? true : false));

if (DEVSERV == true) {
    //define variable set for development server
}
else {
    //define variable set for development server and also turn off error reporting
    ini_set('display_errors', "off");
}

wmhop

thanks