Hello there
Question
I have just tested successfully the PEAR Mail package from http://email.about.com/od/emailprogrammingtips/qt/et073006.htm to send an email.
Nevertheless, before uploading any code like this to a public server I would like to know the risks of putting there my php file. To let you understand my concerns, you have to consider that this php file would contain a password and a username from an email which would be used to send emails. I am wondering whether puting a php file like this in a web server is secure or not. What should be done in this kind of cases? On the other hand there might be some way, which I am not aware of, to establish some protection for the password and username from this php file.

The code is the following one with some modifications for filling of the fields:
$from, $to, .... , $username, $password as you can see here:

<?php
require_once "Mail.php";

$from = "Sandra Sender <sender@example.com>";
$to = "Ramona Recipient <recipient@example.com>";
$subject = "Hi!";
$body = "Hi,\n\nHow are you?";

$host = "ssl://mail.example.com";
$port = "465";
$username = "smtp_username";
$password = "smtp_password";

$headers = array ('From' => $from,
'To' => $to,
'Subject' => $subject);
$smtp = Mail::factory('smtp',
array ('host' => $host,
'port' => $port,
'auth' => true,
'username' => $username,
'password' => $password));

$mail = $smtp->send($to, $headers, $body);

if (PEAR::isError($mail)) {
echo("<p>" . $mail->getMessage() . "</p>");
} else {
echo("<p>Message successfully sent!</p>");
}
?>

I would appreciate that you told me what you know about issue. Can I just upload the php filewith the password and username written on it? is it crazy? or on the contrary, is there any measure I must take to protect the password and username which would be written in this php file?
Thanks in advance

    People cannot view the PHP code in the source.

      The only way anyone would see the password would be, as far as I can see:

      • Somehow, your webserver gets misconfigured and no long parses PHP files. Coincidentally, someone drooling over his/her keyboard too much just happens to try to visit the URL of the PHP script and is presented with the code in plain text.

      • You have a security hole in a different PHP script that includes other files, and a malicious hacker (knowing the path to this script) manages to display its contents (e.g. page.php?name=../../config/mail_password, and page.php does include $name . ".php").

      • Your domain is hosted in a shared hosting environment, and due to poor security a malicious user with an account on that same server manages to open .php files in your web directory.

      If you have a config file with nothing but PHP variable/constant declarations and whatnot, you could always consider moving it outside your website's root directory and including it from there; that would remove the possibility of the first situation described above happening. After that, it just comes down to a matter of securing down your other PHP scripts and the location that they are hosted.

        bradgrafelman wrote:

        The only way anyone would see the password would be, as far as I can see:

        • Somehow, your webserver gets misconfigured and no long parses PHP files. Coincidentally, someone drooling over his/her keyboard too much just happens to try to visit the URL of the PHP script and is presented with the code in plain text.

        • You have a security hole in a different PHP script that includes other files, and a malicious hacker (knowing the path to this script) manages to display its contents (e.g. page.php?name=../../config/mail_password, and page.php does include $name . ".php").

        • Your domain is hosted in a shared hosting environment, and due to poor security a malicious user with an account on that same server manages to open .php files in your web directory.

        If you have a config file with nothing but PHP variable/constant declarations and whatnot, you could always consider moving it outside your website's root directory and including it from there; that would remove the possibility of the first situation described above happening. After that, it just comes down to a matter of securing down your other PHP scripts and the location that they are hosted.

        What other places to store this password and username do you suggest to avoid the first possibility of php file not being parsed? I just came up with these choices:
        1. - taking this data from a database which I could add to my site
        2.- taking this data from a file which might be positioned in a non accessible directory of my site. Would this second option be possible?
        I look forward again for your opinion about these last ideas.
        Thanks for your comments.

          thosecars82 wrote:

          taking this data from a file which might be positioned in a non accessible directory of my site. Would this second option be possible?

          That's what I was suggesting; say the path to the root of your website is /home/users/mysite.com/htdocs/; you would place the PHP config file in /home/users/mysite.com/ (or perhaps a new directory within that home directory). In other words, it's inside your user directory on the server, but it's above the root of your website.

            bradgrafelman wrote:

            That's what I was suggesting; say the path to the root of your website is /home/users/mysite.com/htdocs/; you would place the PHP config file in /home/users/mysite.com/ (or perhaps a new directory within that home directory). In other words, it's inside your user directory on the server, but it's above the root of your website.

            Thanks

              Write a Reply...