0

I'm using phpmailer and to use it you have to set $mail->password

I worry that my password is going to be accessible by hackers. Do I need to do something to protect it? I could put the password in the class file which is in a certain directory. Would that be secure? If I password protect that directory would the php script be able to access it?

Please excuse my ignorance on the subject!

Jonathan Grant
  • 1
  • 1
  • 2
    Pretty simple: anyone who can read the file can read your password. It *is* a very very bad idea to use services that require you to store plaintext passwords. Prefer some that ask for the password or integrate with your OS's built-in password manager (if you don't have one, time to switch to a better OS too! ;-) ). – Steve Dodier-Lazaro Apr 29 '15 at 18:36

1 Answers1

1

Passwords do not ever belong in source code, triply so for source code that is ever committed to a VCS. Anyone who has or has ever had access to the file has the password, including contractors, former employees, any VCS hosting service you use, etc.

The simple answer is, retrieve the value from a configuration file (that is not stored in your repository) or, better, from an environment variable.

Stephen Touset
  • 5,736
  • 1
  • 23
  • 38
  • note that the value should be encrypted in the configuration file... – AviD Apr 29 '15 at 23:17
  • To what end? Whatever accesses this configuration file must also have access to the key that decrypts it, gaining you little. If anyone gets access to this file as the app user or root, they'll have access to the password no matter what you do. – Stephen Touset Apr 29 '15 at 23:21