Hi! I recently created a website that has a contact form that sends an email with the PHP Mailer class. I had to use my gmail account because I cannot get my LAMP server's SMTP protocol working... In my mail.php file, I display the password and account quite openly as such:


Now this file is externally linked to from the page using AJAX. How can I guarentee no one who knows the file exists can see it? Or specifically that they cannot see my password. I am new to encryption with web development. Any suggestions would be great! Is there someway to stop the file from being viewed except for when my AJAX function calls it? I have no idea what I should do.. Any keywords to get me started? Thanks for your time!

Recommended Answers

All 6 Replies

Member Avatar

This has little to do with encryption...

I think this question is about storing passwords in php files. The thing is at some point you will have to store you mysql database username and password as plain text in a file.

The fact that it is served as a php file means that no-one should see it anyway, so security isn't an issue.

The problem only occurs if someone was to echo it out, so to prevent against this you have to make sure that if you allowing uploads, users shouldn't be able to upload php files.

Huh, I had no idea. PHP files are totally inaccesible from a browser? Interesting... Is that because it is executed server-side? Even so, they don't view it like you would view a CSS file? As plain text?

Member Avatar

Well you can try it yourself, cick on your php file and right-click source. You should only be able to see the rendered html entities...

Any php variables will be hidden from the end user/client.

Of course this is to be expected as this is the whole purpose...

From a design POV, I guess you could argue if someone gained access to your root on your server having the passwords stored in plain text in your PHP might be an issue.

The best idea would then to be to retrieve the passwords from a db where the passwords would be stored via two way encryption. But then if that attacker obtained access to your server he would probably know what your decryption key was as well.

The question you're asking slightly different from your generic store user passwords in db...

Ok, alright. Thanks for the information!

Yeah Phil, the server-side code is executed at the web server...doesnt matter if you are talking about PHP, ASP, ASP.NET, or ColdFusion. All of these technologies interpret the code and return HTML which is what the broswer is programmed to interpret. Right click any web page you visit and view the source. Browsers dont know about the specific of any server side processing.

This is a good thing, otherwise you would have specific browsers for specific server side code or have the need to distribute plug-ins. then with those plug-ins you have to deal with updates, vulnerabilities,etc...

Well I'm glad to know that there is some ease in life! That makes this simpler. Thanks again!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.