---
title: Do Not Hardcode Configuration
impact: HIGH
impactDescription: enables environment-specific deployments without code changes
tags: configuration, environment, deployment, quality, php
---

## Do Not Hardcode Configuration

Configuration values that vary between environments (Staging, Production, Local) should never be hardcoded in the source code. Hardcoding these values requires code changes and deployments for simple configuration updates and prevents the creation of portable builds.

**Incorrect (hardcoded config):**

```php
// Hardcoded API URLs and limits
$apiUrl = 'https://api.production.example.com';
$timeout = 30;
$maxUploadSize = 10485760; // 10MB
```

**Correct (externalized config):**

```php
/**
 * Use Environment Variables (.env)
 */

// In plain PHP
$apiUrl = getenv('API_URL') ?: 'http://localhost:8000';
$timeout = (int)(getenv('API_TIMEOUT') ?: 30);

// In Laravel (Recommended: use config files that pull from env)
// config/services.php
return [
    'external_api' => [
        'url' => env('EXTERNAL_API_URL', 'https://api.staging.example.com'),
        'timeout' => env('EXTERNAL_API_TIMEOUT', 30),
    ]
];

// Usage in Service
$url = config('services.external_api.url');
```

**Why externalize configuration?**
- **Portability**: The same code can run in Dev, Staging, and Production by changing only the `.env` file or environment variables.
- **Security**: Sensitive configuration (like API keys) is kept out of the codebase (see rule **C041**).
- **Flexibility**: Change values (like timeouts or feature flags) without re-deploying or re-building the application code.

**Best Practices:**
1. Provide sensible defaults for local development.
2. Validate required configuration at application startup.
3. Use a single source of truth for configuration (e.g., Laravel's `config/` directory).

**Tools:** PHP Dotenv (`vlucas/phpdotenv`), Laravel/Symfony Config components, PR review