Why use .ENV? What’s wrong with storing secrets in a config.php file outside root directory?

Seems to be the general practice these days is to store secrets (e.g., DB, API credentials) in a .ENV file then load it to $ _ENV and $ _SERVER automatically. This popular library does that and it’s even encouraged as best practice. This library takes it a step further and encrypts the value inside the .ENV file.

They say the whole purpose is to easily manage dev/production configs and to minimize config files being pushed to version control. On top of “never store sensitive credentials in your code”.

One glaring issue about this is a simple injection of print_r($ _SERVER)or print_r($ _ENV) in your code will reveal everything. Or, if you forgot to delete phpinfo.php, all is lost! There are also other ways it could leak (e.g., logs).

I’m quite baffled that this practice is prevalent or maybe I’m just missing something.

Is there anything particularly wrong with the good old config.php stored outside document root? I mean you could put that in git ignore too and it’s not going to be part of your code at all. You can even encrypt it too. Why use .ENV?

Update:

Here’s an article that agrees to my sentiments

Como usar um .env compartilhado para várias aplicações Laravel?

Tenho várias aplicações Laravel e um único banco MySQL, preciso usar apenas uma conexão para evitar ter que mudar a senha de conexão em todas as aplicações. Estou procurando ideias, eu até pensei em criar um arquivo com as variáveis de conexão na mesma pasta dos projetos, mas não obtive sucesso. Me ajudem por favor.

How to set command output as env. variable in windows cmd?

I have saved azure storage key in key vault and i want to retrieve the key using Azure cli and set it as env. variable in window cmd before i run terraform script.

Below listed command doesn’t work, can anyone tell me what needs to be changed ?

set ARM_ACCESS_KEY=$ (az keyvault secret show –name terraform-backend-key –vault-name myKeyVault)

How to rename file .env of docker project ?

Hello,
I have small docker(version: '3.1') project with laravel 5 app
I have file .env where some path vars are set abd in docker-compose.yml these vars are set.
Looks like .env is config file by default and I would like to change name of this config file,
as my laravel app also has .env file and that raise some confusion in the project.
If there is a way to rename .env of docker project and where such option can be set ?

Thanks!

Multiplos .env laravel 5

Eu tenho um dominio no servidor onde subi uma aplicação em laravel. Criei um subdomunio e subi a mesma aplicação para esse subdominio, porém o subdominio está buscando as informações do mesmo .env, que fica na raiz do projeto (dominio principal). Gostaria de poder setar as informações para outro arquivo .env para o subdominio, de modo q as aplicações ficassem distintas uma da outra.