PHP - Using phpmailer passwords

Asked

Viewed 34 times

0

Working with php Mailer, a question has arisen regarding the use of passwords. I am developing a page with form, and I wanted to know if it is safe to put the email password in the email class itself, or send the password from the form page through the constructor method, or create a file. ini with the credentials.

Email class:


<?php

class Email
{

    private $mailer;

    public function __construct($host,$username,$senha,$name)
    {

        $this->mailer = new PHPMailer;
        
        $this->mailer->isSMTP();  // telling the class to use SMTP
        $this->mailer->SMTPAuth   = true; // SMTP authentication
        $this->mailer->Host       = $host; // SMTP server
        $this->mailer->Port       = 465; // SMTP Port
        $this->mailer->SMTPSecure       = 'ssl'; 
        $this->mailer->Username   = $username; // SMTP account username
        $this->mailer->Password   = $senha;       // SMTP account password
        
        $this->mailer->SetFrom($username, $name); // FROM
        $this->mailer->isHTML = (true);
    }

}

1 answer

2


It is partially safe, there is only one possibility of password leak in PHP scripts, it is if some debug that shows the source is on, but this would not fail to have put the password in the class and yes to have left the debug on, as for example if Xdebug is connected on your server (I have found many servers with this connected):

variaveis expostas

Note that in this example (in a wordpress) where the fault occurred the variables in the scope were exposed.

In certain frameworks also has debug system itself, if the debug is on will in case of error will issue something like:

Laravel 8

See what part of the code is exposed.

Note that this is not the fault of Xdebug or frameworks, because in production (on your server) none of this should be on, ever. Debug mode should be used only in development environment and eventually in "type approval".

In short, two conditions are required to expose something of the code, either the password or the code itself:

  • Debug mode on (whatever)
  • Have an error in the script

Otherwise it is unlikely that the password will be exposed, yet putting the password in the middle of the code can be difficult to maintain, since you will need to edit the code if the password changes, so isolating settings in other files can be easy, no need to be one . ini, can be a . php like this:

<?php
return [
    'foo' => 'bar',
    'smtp_server' => 'smtp.foo.com',
    'smtp_port' => 465,
    'smtp_user' => '[email protected]',
    'smtp_pass' => 'teste',
];

And with Return when making a require ...; in your script you will have:

    $this->mailer = new PHPMailer;

    $configs = require 'config/smtp.php';
    
    $this->mailer->isSMTP();  // telling the class to use SMTP
    $this->mailer->SMTPAuth   = true; // SMTP authentication
    $this->mailer->Host       = $configs['smtp_server']; // SMTP server
    $this->mailer->Port       = $configs['smtp_port']; // SMTP Port
    $this->mailer->SMTPSecure = 'ssl';
    $this->mailer->Username   = $configs['smtp_user']; // SMTP account username
    $this->mailer->Password   = $configs['smtp_pass']; // SMTP account password

Now I’m going to talk something about your code in general, I see no point in creating another class just to put a class in, OOP was not created to make things prettier, was created to be used when needed, the new PHPMailer is already a class, create another just to play it all in doesn’t necessarily make things simpler, it would be easier to create just a basic function:

function send_mail($destinatario, $assunto, $conteudo)
{
    $mailer = new PHPMailer;

    $configs = require 'config/smtp.php';
    
    $mailer->isSMTP();  // telling the class to use SMTP
    $mailer->SMTPAuth   = true; // SMTP authentication
    $mailer->Host       = $configs['smtp_server']; // SMTP server
    $mailer->Port       = $configs['smtp_port']; // SMTP Port
    $mailer->SMTPSecure = 'ssl';
    $mailer->Username   = $configs['smtp_user']; // SMTP account username
    $mailer->Password   = $configs['smtp_pass']; // SMTP account password
    
    $mailer->SetFrom($username, $name); // FROM
    $mail->addAddress($destinatario);
    $mailer->isHTML = $conteudo;

    return $mailer;
}

Browser other questions tagged

You are not signed in. Login or sign up in order to post.