Join Training
Home/PHP/Deployment & Production Config
Building Real ApplicationsExtra· 35 min read

Deployment & Production Config

Get your PHP site onto the live internet — hosting, environment variables for secrets, and the php.ini settings that make a site production-safe.

What you will learn

  • Understand hosting options for PHP
  • Keep secrets out of code with environment variables
  • Apply the production settings that hide errors and stay safe

From localhost to live

Everything you have built runs on localhost — only you can see it. To show employers or clients, the site must be deployed to a server on the public internet with a real web address. Every paid course ends here, because a project nobody can visit is hard to put on a CV. The good news: PHP is the easiest language to host — cheap shared hosting runs it everywhere.

OptionGood for
Shared hosting / cPanelCheapest; upload files via the file manager or FTP
A VPS (e.g. DigitalOcean)Full control; you install PHP and a web server yourself
Platform hosts (Railway, Render)Push from Git and it deploys for you

The simplest path for a beginner: a shared host with cPanel. You upload your files to the public_html folder (by FTP or the web file manager), create a MySQL database in the control panel, and the site is live at your domain.

Keep secrets out of your code

Your database password and API keys must never be hard-coded in files you commit to Git — anyone who sees the code would have them. Instead you use environment variables: secret values stored *on the server*, outside your code. A common approach is a .env file (loaded by a Composer package like vlucas/phpdotenv) that you keep off Git.

.env file holds secrets, kept out of Git
# .env  (NEVER committed to Git)
DB_HOST=localhost
DB_NAME=myapp
DB_USER=appuser
DB_PASS=super-secret-password

The .env file lists each secret as NAME=value. You add .env to your .gitignore so it is never uploaded to a public repository. A library reads these into PHP, where you access them with getenv() or $_ENV — so the code refers to $_ENV["DB_PASS"] instead of containing the actual password.

Use the secrets without writing them in code
<?php
  // config.php reads secrets from the environment
  $host = $_ENV["DB_HOST"];
  $db   = $_ENV["DB_NAME"];
  $user = $_ENV["DB_USER"];
  $pass = $_ENV["DB_PASS"];

  $pdo = new PDO("mysql:host=$host;dbname=$db", $user, $pass);
?>

Now config.php pulls each value from $_ENV — the secrets live only in the .env on the server, never in the code itself. The same code runs on your laptop and on the live server; only the .env differs. Share the code freely; the secrets stay private.

Note: No visible output — this is configuration. The win is safety: you can push this config.php to a public GitHub repo with zero risk, because it contains no real passwords. This is standard practice in every professional project and exactly how Laravel’s .env works.

Production php.ini settings

A live server must behave differently from your development machine. The most important change: stop showing errors to visitors (they leak information and look broken) while still logging them for you.

php.ini: hide errors in production, log them instead
; php.ini on the LIVE server
display_errors = Off      ; never show errors to visitors
log_errors = On           ; but record them for you
error_log = /var/log/php_errors.log

; on your LOCAL machine you want the opposite:
; display_errors = On      ; so you can see and fix problems

On the live server, display_errors = Off ensures a visitor never sees a raw PHP warning (which could reveal file paths or query details). log_errors = On with an error_log path means those problems are quietly written to a file you can read. On your own machine you flip display_errors back On, because there you *want* to see errors immediately to fix them.

Note: There is no page output here. The effect is what users *do not* see: instead of an ugly error dump, a production visitor gets your friendly message (from the exceptions lesson) while the technical detail lands safely in the log. Hiding errors in production is a non-negotiable security and professionalism step.

Watch out: Before going live, double-check: display_errors is off, secrets are in .env (not in code), the database user has a strong password, and you are serving over HTTPS. These four checks prevent the most common beginner deployment mistakes.

Q. On a live production server, what should display_errors be set to?

Answer: In production set displayerrors = Off (never leak details to visitors) and logerrors = On so problems are recorded privately for you to fix.

✍️ Practice

  1. Move your database credentials out of code into a .env file and read them with $_ENV.
  2. Write the two php.ini lines that hide errors from visitors but log them.

🏠 Homework

  1. Deploy one of your PHP projects to a free or cheap host, using a .env for secrets and production-safe php.ini settings, and share the live URL.
Want to learn this with a mentor?

CodingClave runs guided, project-based training (28-day, 45-day & 6-month batches).

Explore Training →