Jump to content
Sign in to follow this  

PHPMailer password security

Recommended Posts


I'm using PHPMailer to send email from a contact form using gmail SMTP which requires to include the SMTP password directly in the PHP script like so

$mail->Password = 'mypassword';

According to what I've found on the net, it seems that it's not recommended since the password can be easily hacked. Thus, I'm wondering how to do to protect my password. I've found people recommending to put the password in an INI file outside the webroot and then to retrieve it using parse_ini_file() function.

My problem is that I'm not sure I understand the "outside the webroot" part… if anyone could explain this to me and how to do it, it would be much appreciated. Also, should I protect the INI file with a .htaccess?


Edited by Junitar

Share this post

Link to post
Share on other sites

The web root is the folder on the server which contains your website. It could be called "www", "htdocs", "html" or a variety of other names. Anything inside that folder can be accessed through HTTP with a URL. If the file is outside the web root, you won't need htaccess to protect it because it's already inaccessible.

Share this post

Link to post
Share on other sites

Thanks for your reply. If I understand correctly, all I've to do to protect my gmail password and username once my site is ready to go online, is to organize my folders on the server that hosts my website like so:


      |                   |
iniFilesFolder   websiteFilesFolder
      |             ______|___________________
      |            |             |            |
  file.ini      index.php    contact.php    ….php


and then retrieve my password by adding the following lines in my PHP script:

$ini = parse_ini_file('/myMainFolder/iniFilesFolder/file.ini', true);

$mail->Username = $ini['email']['username'];
$mail->Password = $ini['email']['password'];


With the file.ini being something like:

username = myUsername
password = myPassword


Is that correct?

Edited by Junitar

Share this post

Link to post
Share on other sites

The only way that password would be compromised is if you're on a shared server with poor security, where other accounts on the same server can read your files.  If the server is configured correctly then that wouldn't be possible, but if it's not configured correctly then using a .ini file probably isn't going to fix anything.  

But yeah, the structure you show is what you're trying to describe.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...