Sensitive credentials in Slim 4 project

After exploring some resources

and for Slim 3

I still have some questions about this matter:

  1. Should be used phpdotenv in Slim 4 project or not?
  2. If should, how to configure and use correctly phpdotenv in Slim 4 project?

Thanks in advance.


Maybe I was using it incorrectly, but when I used vlucas/phpdotenv with more than 1 website on the same server, using different credentials or different databases, they seemed to overwrite each other.

So, if a request came in on the first website and then a request on the other website before the first request was completed, the creds from the second request would be used if they were needed in the first request, causing issues.

Because of this issue, I prefer to use a simple php array and I use selective/config to access the items. I use an example settings file and have composer or the user copy it for use.

I hope that answers at least part of your question.

1 Like

Thank you for your answer. I’ll try your solution.

Thanks again to @darkalchemy for the solution.
I tried to implement selective/config, and, for today, it works in my Slim 4 project. Especially, “Injecting the configuration” is very convenient.

In my project, base url of some image is concatenated with image’s name. These images’ names are written in MySQL DB.

So, to get images’ names and base url together in server response.

  1. phpdotenv (it’s not work):

    $baseUrlImg = getenv(‘BASE_URL_IMAGE’);
    $sql = “SELECT id, CONCAT (’$baseUrlImg’,‘product_img_dir/’, img) AS img, name FROM products”;

  2. selective/config (it works)

    $baseUrlImg = $this->config->getString(‘base_url.base_url_img’);
    $sql = “SELECT id, CONCAT (’$baseUrlImg’,‘product_img_dir/’, img) AS img, name FROM products”;

Sorry, but I still to wonder. Is it safe enough to keep sensitive credentials in settings.php of Slim 4 project?

Thanks in advance.

I think as long as you don’t commit settings.php to git repo and it’s not in the root folder of your website and your webserver is set up correctly, it’s as safe as it can be.


A typical application begins with three environments: dev (for local development), prod (for production servers) and test (for automated tests).

Each environment differs only somewhat from others. This means that all environments share a large base of common configuration, which can be stored in a file like: config/defaults.php.

  • While developing, you want to log everything and expose nice debugging tools;
  • After deploying to production, you want that same application to be optimized for speed and only log errors.

These settings can be stored in environment specific files, like config/development.php and config/production.php. Please note: You must not store sensitive password in this files.

To store the secret credentials you should use a special file like env.php. This file should be excluded from the version control and must never be commited into the git repo.

Then you merge all these 3 files in this order into a single array:

In config/settings.php:

  1. Load config/defaults.php
  2. Load if exists: config/env.php or ../../env.php (on your prod server)
  3. In env.php load the environment config file:
    • config/development.php or
    • config/production.php or
    • config/testing.php