1

I've searched around for this answer, and have found a few "solutions", but I don't think I quite understand how to accomplish this. I just finished a query-mobile site that has 11 different PHP files for mailing form submittals. This being my first mobile "site", I wasn't too concerned with security at first, more functionality. Well, now that everything is functioning properly, I need to worry about locking it down. Those 11 PHP files are located in the same directory as all of my HTML files, and they contain the SMTP creds for submitting the email. Some of the solutions I've found say to locate those files outside of the webroot, but how would I reference them in my form action? Does this mean that I should just create a subfolder under the root and place them there and reference them instead of

<form method="post" action="bp-mail.php" enctype="multipart/form-data" data-ajax="false">

but now like

<form method="post" action="/scripts/bp-mail.php" enctype="multipart/form-data" data-ajax="false">

...or do they need to be located in a directory "above" the root in the webserver? If a subfolder is where they should go, what type of permissions should I place on the directory to allow the html pages to still call them, but not allow someone with some site-ripping software from grabbing them? If above the root, how should the path syntax be in the the form code?

daniula
  • 6,898
  • 4
  • 32
  • 49
ClevelandITGuy
  • 25
  • 4
  • above webroot is a good idea. Example: site sits at /home/user/public_html keep your credentials files at /home/user – TecBrat Jul 15 '14 at 20:18
  • I've actually installed PHP on a Windows (IIS7) web server (is that faux pas?), so the site sits at D:\Website\wwwroot\Mobile\ so I'm thinking I should store a creds file in D:\Website\ and possibly parse it as suggested below? – ClevelandITGuy Jul 15 '14 at 20:39
  • Yes, that seems right, and no, I don't think it's a faux pas to use PHP on Windows. You just have to be aware of a few OS specific differences. (I don't know anything about IIS though.) – TecBrat Jul 15 '14 at 20:49

1 Answers1

1

There are two types of file. Those that are interacted with directly (you load them in the URL, they run on the server, then they show you a response), and those you include from other files.

By the looks of things, bp-mail.php is a file you interact with directly.

This file should not contain your credentials.

If - for some crazy reason - Apache stopped parsing that file as PHP and defaulted to plain-text as it can do (happened to Facebook once) then people would just see your passwords.

Not cool.

Put that file outside of the web route, and use $config = require(dirname(__DIR__).'/config.php'); or something simple like that to include the file, then just reference the variables in that file.

That config file could look like this:

<?php 

return [
    'smtp' => [
        'username' => '',
        'password' => '',
    ],
];

Then in bp-mail.php you can use $config['smtp']['username'];, and if anyone sees that in plain text then who cares.

Phil Sturgeon
  • 30,637
  • 12
  • 78
  • 117
  • 1
    Oh, that worked perfectly (after debugging some permissions issues on the "config.php" file). I even added the To and From email addresses to that config file to keep them out of the hands of skimmers/spammers. THAT, my friend, is what I'm talkin' 'bout...many many thanks! – ClevelandITGuy Jul 15 '14 at 21:12