PHP Mailer Class - Securing Email Credentials

Question

I am using the php mailer class to send email via my scripts.

The structure is as follows:

$mail = new PHPMailer;

$mail->IsSMTP();                                      // Set mailer to use SMTP
$mail->Host = 'myserver.com';  // Specify main and backup server
$mail->SMTPAuth = true;                               // Enable SMTP authentication
$mail->Username = '[email protected]';                            // SMTP username
$mail->Password = 'user123';                           // SMTP password
$mail->SMTPSecure = 'pass123';  

It seems to me to be a bit of a security hole having the mailbox credentials in plain view. So I thought I might put these in an external file outside of the web root. My question is how would I then assign the $mail object these values.

I of course no how to use include and/or requires... would it simple be a case of....

$mail->IsSMTP();                                      // Set mailer to use SMTP
$mail->Host = 'myserver.com';  // Specify main and backup server
$mail->SMTPAuth = true;                               // Enable SMTP authentication

includes '../locationOutsideWebroot/emailCredntials.php';

$mail->SMTPSecure = 'pass123';

Then emailCredentails.php:

<?php
$mail->Username = '[email protected]';
$mail->Password = 'user123';
?>

Would this be sufficient and secure enough?

Thanks,

Alan.

Answer 1

I believe that your credentials should be stored in a configuration file (INI or JSON) outside the webroot. Since the protocol requires the raw credentials, that is the most secure approach. Also, don't forget to set proper access permissions to the configuration file.

Small example:

<?php

$config = parse_ini_file('/var/app/config.ini', true);

// PHPMailer
$mail->Username = $config['email']['username'];
$mail->Password = $config['email']['password'];