I use Netbeans, and when I used the recommended method to protect sensitive config parameters, Netbeans gives a warning.
I am using the Laravel docs here: http://laravel.com/docs/configuration#protecting-sensitive-configuration
'key' => $_ENV['TEST_STRIPE_KEY']
and that raises the warning in the Netbeans code editor. Netbeans gives this recommended method as more secure:
'key' => filter_input(INPUT_ENV, 'TEST_STRIPE_KEY')
So my question is, does Laravel already sanitize input from the environment, or should I switch to using the Netbeans recommended way?
It's always better to make sure that array key exists before calling it. filter_input is fine.
I'm not sure about the sanitization part, but I've always used getenv('TEST_STRIPE_KEY'). The function doesn't throw an error if the key is not set, unlike calling $_ENV directly.
Unless you are letting users set the ENVs, I don't see why any sanitization is necessary. Typically only you would be setting those and they would be hard coded in your config files or .env.php files.
For example, in app/config/app.php I have 'url' => getenv('app.url'),, the value of which is defined in /.env.local.php, and /.env.production.php.
Thanks for the replies. I like the getenv('key'), and the error goes away in NetBeans too.
Should we request that the official documentation be updated to suggest using getenv() instead of reading $_ENV directly?
Sign in to participate in this thread!
Laravel
Laravel News
Laracasts
Laravel Podcast