[SOLVED]SECURITY: password&username(email) in php file.

Hello there
I have just tested successfully the PEAR Mail package from http://email.about.com/od/emailprogramm … 073006.htm to send an email.
Nevertheless, before uploading any code like this to a public server I would like to know the risks of putting there my php file. To let you understand my concerns, you have to consider that this php file would contain a password and a username from an email which would be used to send emails. I am wondering whether puting a php file like this in a web server is secure or not. What should be done in this kind of cases? On the other hand there might be some way, which I am not aware of, to establish some protection for the password and username from this php file.

The code is the following one with some modifications for filling of the fields:
$from, $to, … , $username, $password as you can see here:

require_once "Mail.php";

$from = "Sandra Sender <[email protected]>";
$to = "Ramona Recipient <[email protected]>";
$subject = "Hi!";
$body = "Hi,nnHow are you?";

$host = "ssl://mail.example.com";
$port = "465";
$username = "smtp_username";
$password = "smtp_password";

$headers = array ('From' => $from,
  'To' => $to,
  'Subject' => $subject);
$smtp = Mail::factory('smtp',
  array ('host' => $host,
    'port' => $port,
    'auth' => true,
    'username' => $username,
    'password' => $password));

$mail = $smtp->send($to, $headers, $body);

if (PEAR::isError($mail)) {
  echo("<p>" . $mail->getMessage() . "</p>");
 } else {
  echo("<p>Message successfully sent!</p>");

I would appreciate that you told me what you know about issue. Can I just upload the php filewith the password and username written on it? is it crazy? or on the contrary, is there any measure I must take to protect the password and username which would be written in this php file?
Thanks in advance

Mod Edit: Added CODE tags

I put the “Sensitive” Information in a file which is OUTSIDE of the normal directory for the webserver.
An example might be :

$username = "MyUser";
$password = "MyPassword";

Then I set the permissions so that the webserver users (In my case Apache) has Read Only Permissions. I then include the file in the appropriate document (Usually by the full path).


include ('/home/user/password.php');
// Other PHP Code 


As long as you are parsing PHP you should be safe. However, be aware that anyone with root access to the system could still view the file in a text editor ( unless you host it yourself… This is unavoidable) but as far as it getting compromised, this would be safer. Even if there is an exploit, a user would have to know the exact name of the file and location. Since it’s kept outside of the normal public_html directory, it makes it that much harder.

To add a final level you could even use some odd file names that make it harder to guess such as naming the “Included” file to something like 1kbe8Jsdr8J46411xcnaH.php.

Hope this makes sense

Thanks for your effective reply.

Sponsor our Newsletter | Privacy Policy | Terms of Service