• Posted on February 21, 2015

PHP - Check if Production or Sandbox

When developing a site, it’s usually best to work on it on a local sandbox (development) server. This will allow you to quickly test the site without having to upload the files. Also, when working on a sandbox server, you have full control of the software that is running. This lets you test the code on various platforms, servers, PHP versions, and all sorts of other stuff.

But there is a down side to working on a local server, it’s that when you are finished you usually have to modify the configuration file and maybe a few other files so that it will work on the production server. These are basic things like database settings, API tokens, and switching from uncompressed JS to the compress JS files. This can get very old often and you will stumble around trying to find a way to detect if you are on a sandbox server or not so this can all be handled in the website code. Below are a few methods I came across, the first one being my preferred method.

Detecting Using Environment Variables

Using the environment variables on the sandbox server, you will create a new variable such as SANDBOX_SERVER or a similar name that is unique. The PHP code will then check to see if the environment variable exists, and if it does you are on the sandbox server, else you are on the production server. The reason we set the variable on the sandbox server and not the production server is that, it’s quicker to edit sandbox variables without problems, it’s more secure in the fact that if the variable by chance doesn’t exist, it shows the production server content instead of the sandbox content (which may contain debug information).

Setting Environment Variables in Windows 8.1

  1. Right click on the Start Button Icon
  2. Click on “System” in the context window that appears
  3. On the sidebar of the Control Panel, click on “Advanced System Settings”
  4. On the bottom of the screen that appears, click the button for “Environment Variables”
  5. Under “User variables for Name,” click on “New” and set the variable name and value. I set the value to 1 and the name to SANDBOX_SERVER

Edit PHP.ini File

We need to edit the PHP.ini file since in most cases it doesn’t allow for the environment variables to be passed onto the site. This only needs to be done on the sandbox server since the production server doesn’t need to check for the variable.

  1. Open the PHP.ini file. This can be in a number of places, too many to list.
  2. Find the line with the variable variables_order. If that doesn’t exist add that variable anywhere under [PHP]
  3. Edit the value of the variable to include E so it looks similar to variables_order = "EGPCS"
  4. Restart PHP / Web Server.

The PHP Code

$SandboxKey = "SANDBOX_SERVER"
if(isset($_ENV,$_ENV[$SandboxKey]) && $_ENV[$SandboxKey] == 1) {
	/* Sand Box */
	define('DB_HOST','localhost');
}else{
	/* Production */
	define('DB_HOST','db.example.com');
}

Detecting Using a File

If you create a file on your sandbox server that the production server wont have, for instance sandbox_server.txt, you can use that to detect what server your site is running on.

/* file resolves to "../sandbox_server.txt" in relation to this file */
$SandboxFile = dirname(__DIR__).'/sandbox_server.txt';
if(file_exists($SandboxFile)) {
	/* Sand Box */
}else{
	/* Production */
}

Detect Using IP Address

This is a really common method people use to detect if a server is sandbox or production, and I don’t know how it’s so popular since it is really bad. This will only work for the website and won’t work for any cron jobs and wont work if you run a php script through terminal / cmd.

if(isset($_SERVER,$_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] == '::1') {
	/* Sand Box */
}else{
	/* Production */
}

Detect Using Host Name

This is yet another really common method the server type is detected, and again another one that I avoid due to possible security issues. The problem with this detection method is that any HTTP request can be changed to have the Host of localhost, and most servers have a “catch-all” setting so the site gets displayed even if the host name doesn’t match. The attacker can fake the hostname and possibly see developer information which could lead them to view data they are not supposed to see that was used for debugging the site or easily editing the database when developing the site. Also, this method only works for the actual site and not for cron jobs or PHP executed using terminal / cmd.

if(isset($_SERVER,$_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] == 'localhost') {
	/* Sand Box */
}else{
	/* Production */
}