I am curious if doing something like setting your “environment” to Production, Dev, Staging, etc. based on a domain name such as dev.domain.com, staging.domain.com is a bad idea.
Can somebody just edit their hosts file to point dev.domain.com to domain.com so now the system thinks it’s in Dev when it really is in Prod? This would mean any Dev specific code will be ran by a complete stranger.
Is this possible or is there a better way to determine your environment such as setting it manually in a server variable?
For reference, I am using PHP.
I would set the environment in a server variable on the machine. This allows you to control it during deployment and it cannot be mucked around with by people who are not authorized to do so. Although if you are worried about developers inadvertently connecting to production that is a whole other issue. You should be controlling access to production credentials via some other process such as jndi (in the java world) or environment keys replaced at runtime or deploy time (works in any language).