Using environment variables in PHP

ENV vars help to create and shape the environment of where the code runs.


You probably run at least two deployments of your App: a local one for development and one in the cloud (here on fortrabbit) for production. Both instances probably have access to a database. Your local MySQL has of course different credentials than the remote one. Your config file, storing this information, is under Git version control. So how to deal with different environment-specific configurations of one App?


Use environment variables to keep local configurations out of the main code base.

ENV vars in PHP

You can access your ENV vars from PHP either using the global variable $_SERVER or the function getenv():

echo $_SERVER["MY_ENV_VAR"];
# or
echo getenv("MY_ENV_VAR");

Adding ENV vars

You can add ENV vars to your App in the Dashboard > Your App > Settings > ENV Vars. The input supports the dotenv format and allows you to create or update multiple variables at once.

Add ENV vars to your App: {{app-name}}

ENV var types

There are four different kinds of ENV vars which are available to your App at runtime.

Custom ENV vars

Those are the ones you add yourself in the Dashboard.

App ENV vars

Generic ENV vars cannot be overwritten by you. They are always available.

  • APP_NAME contains the name of your App
  • APP_SECRETS contains the path to a JSON encoded file containing App Secrets

Stack ENV vars

Depending on what you have selected in the Software chooser when creating your App, additional ENV vars will be pre-created (seeded) for you. For example: When choosing Laravel the ENV var APP_KEY with a random, 32 char long string will created (among others).

You can replace or remove those Stack ENV vars after App creation the same way you can replace or remove your manually created ENV vars.

Dynamic ENV vars

Dynamic ENV vars become available if you have enabled "Dynamic ENV vars" in the Dashboard, which is the default for new Apps. They contain access details for services offered by fortrabbit. You can find them in the Dashboard > {{app-name}} > ENV vars on the right hand side.

They will never overwrite existing, manually created ENV vars. This means: if you manually create an ENV var, we guarantee that we won't replace it's value by a dynamically generated ENV var.

Following a list of available dynamic ENV vars:

MySQL (All Universal Apps or Professional App Component)

  • MYSQL_DATABASE: Contains the App's database name
  • MYSQL_HOST: Contains the App's database hostname
  • MYSQL_PASSWORD: Contains the App's database password
  • MYSQL_PORT: Contains the App's database port
  • MYSQL_USER: Contains the App's database user

Object Storage (Professional App Component)

  • OBJECT_STORAGE_BUCKET: Contains the App's bucket name
  • OBJECT_STORAGE_KEY: Contains the App's bucket access key
  • OBJECT_STORAGE_REGION: Contains the App's bucket region
  • OBJECT_STORAGE_SECRET: Contains the App's bucket access secret
  • OBJECT_STORAGE_SERVER: Contains the App's Object Storage API server

Memcache (Professional App Component)

  • MEMCACHE_COUNT: Contains amount of available memcache hosts (Production plan: 2, otherwise: 1)
  • MEMCACHE_HOST1: Contains the first Memcache node hostname
  • MEMCACHE_PORT1: Contains the first Memcache node port
  • MEMCACHE_HOST2: Contains the second Memcache node hostname (if using a Production plan)
  • MEMCACHE_PORT2: Contains the second Memcache node port (if using a Production plan)

Nested variables

You can use simple, nested variables in your custom ENV vars. Simple means, that you can set variables which reference other variables, which contain a value, for example:

# will work:

We do not support multiple levels of interpolation, which means that you cannot use variables, which reference other variables, which again reference other variables, for example:

# will not work:

ENV vars vs security

Storing credentials (passwords, secrets, ..) in environment variables is not without risk. They can be exposed, due to programming errors or oversights. Please read an in-depth discussion in our Blog. We offer a convenient solution for this problem with our App secrets.

ENV var validation

Strict validation rules for ENV vars are in use in the Dashboard while entering. Chars like the "$" sign can be harmful in Linux systems. Here is the regex we use to validate the ENV var input in the Dashboard:

/^[\p{L}\p{N}\ _\-\+=\.,:;\?!@~%&\*\(\)\[\]\{\}<>\/\\#]+$/u

So sometimes, when you want to store an external API key as an ENV var, you might get a validation error like: "Variable value contains invalid characters". If you can not change the value of your ENV var, you can encode and decode those:

Encode and decode ENV vars

Use a base64 encoded string and decode it when applying it to your configuration in your code. Encoding works like this:

php -r "echo base64_encode('YOUR-M$Pa#A-VALUEx') . PHP_EOL;"

And this example should give you an idea how you can do the decoding.

Further readings

Need individual help?

Get support › Learn about Company plans ›

Looking for an old article?

See the full list of articles ›

Found an error?

Contribute on GitHub ›