Showing results for 
Search instead for 
Did you mean: 

Environment Variables vs. PHP Constants



In another thread where you were trying to help me out, you posted this code in a response...



// the following assumes you've put your credentials in somewhere
// as environment variables called "API_LOGIN_ID" and "TRANSACTION_KEY"
$loginId = getenv("API_LOGIN_ID");
$transactionKey = getenv("TRANSACTION_KEY");


What is the difference between an "environment variable" and a "PHP constant"?



To protect my API Login ID and Transaction key, I had originally planned to store them in my "config.php" file which is located in a directory outside of the public_html folder on my server.  (That is, stored outside of the webroot.)


My config.php file looks like this...


// Settings

// API Login ID
define('API_LOGIN_ID', '<my api login id>');

// Transaction Key
define('TRANSACTION_KEY', '<my transaction key>');



Then in whichever PHP script processes my payment form, I would include this...


 // Access Constants.




1.) Would that work the same as the "environment variables" you mentioned earlier?


2.) Is my approach above secure?










Hi @ssimons,


An "environment variable" generally refers to something that's set outside of your application, but that applies to the "environment" in which the program is running. For example, in your PHP program you can access environment variables about the PHP environment that's running. That can give you information about the PHP software version, or the server operating system, or what query string was used to call the program, or really anything that you see in the phpinfo() call.


Here's the PHP doc entry on the getenv() call to retrieve environment variables.


Generally speaking, the difference between a constant and a variable is that one is constant, and the other is, well, variable. :) From the standpoint of writing a program that depends on login strings like this, setting them in an environment variable, or reading them from a constants file would both work equally well. They're both ways of getting the information out of the script and into a seperate place. This is important because if your server breaks and accidentally serves the unprocessed PHP to the web browser, your credentials are not exposed.


Your approach of defining them as constants in the config.php file is just fine. Since that file is out of the webroot, it won't get returned to the browser accidentally. Retrieving those constants and using them in the script won't be any better or worse than defining them as environment variables. I just happened to already set mine up as environment variables, so when I copy the code, that's what it looks like. Your approach works equally well.

All Star

Thank you!