Should server/database config files, including passwords, be stored in source control?

Question

I\'m looking to hear some best practices...

Assuming a web application that interacts with a few different production servers (databases, etc.)... should the configu

Answer 1

Without a proper build process, I'm using this strategy (for PHP apps):

1. Make a folder /etc/companyname

2. In it, place two files:

    array( /* credentials */ ),
     /* other host-specific conf data */
   ); 
   

3. Make both files readable only by your PHP process

Now your app's config file will be something like:

With this in place, the environment defines the credentials used, and you can move code between pre-configured environments (and control some options with $env). This, of course, can be done with server environment variables, but this a) is simpler to setup and b) doesn't expose credentials to every script on the server (won't show up in a stray debugging junk like phpinfo()).

For easier reading outside PHP you could make the credential files JSON or something and just put up with the tiny performance hit (APC won't cache them).