Jump to content

PHPMailer password security


Recommended Posts


I'm using PHPMailer to send email from a contact form using gmail SMTP which requires to include the SMTP password directly in the PHP script like so

$mail->Password = 'mypassword';

According to what I've found on the net, it seems that it's not recommended since the password can be easily hacked. Thus, I'm wondering how to do to protect my password. I've found people recommending to put the password in an INI file outside the webroot and then to retrieve it using parse_ini_file() function.

My problem is that I'm not sure I understand the "outside the webroot" part… if anyone could explain this to me and how to do it, it would be much appreciated. Also, should I protect the INI file with a .htaccess?


Edited by Junitar
Link to comment
Share on other sites

The web root is the folder on the server which contains your website. It could be called "www", "htdocs", "html" or a variety of other names. Anything inside that folder can be accessed through HTTP with a URL. If the file is outside the web root, you won't need htaccess to protect it because it's already inaccessible.

Link to comment
Share on other sites

Thanks for your reply. If I understand correctly, all I've to do to protect my gmail password and username once my site is ready to go online, is to organize my folders on the server that hosts my website like so:


      |                   |
iniFilesFolder   websiteFilesFolder
      |             ______|___________________
      |            |             |            |
  file.ini      index.php    contact.php    ….php


and then retrieve my password by adding the following lines in my PHP script:

$ini = parse_ini_file('/myMainFolder/iniFilesFolder/file.ini', true);

$mail->Username = $ini['email']['username'];
$mail->Password = $ini['email']['password'];


With the file.ini being something like:

username = myUsername
password = myPassword


Is that correct?

Edited by Junitar
Link to comment
Share on other sites

The only way that password would be compromised is if you're on a shared server with poor security, where other accounts on the same server can read your files.  If the server is configured correctly then that wouldn't be possible, but if it's not configured correctly then using a .ini file probably isn't going to fix anything.  

But yeah, the structure you show is what you're trying to describe.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...