securing include files

[whitt]

I've just gotten back into re learning web development, I have created a contact form however my server is forcing me to use SMTP which will require me to have a config include with my details inside. How do I ensure nobody can open the files in the browser? I have heard of putting the files outside of the webroot or using htaccess files however the passive aggressive answers I got from stack over flow didn't tell me HOW to implement them.

 

The files are

Form.HTML

Bin/config.php

Bin/mail.php

 

Any help is appreciated.

[deathbeam]

If you are not echoing your configuration from config.php and mail.php, then it is safe. When users will open config.php they will see blank page.

[Jacques1]

What's the goal of hiding the files? As deathbeam already said, the PHP scripts shouldn't output anything at all, which means there's nothing to hide. And the form is already public, isn't it?

 

The only reason for why you would hide the files is if you insist on a clean API: You don't want “dead” resources which can be accessed with a URL but have no content. In that case, simply store the internal scripts somewhere outside of the document root and adjust the file paths of your include statements. So instead of assuming that all scripts are in the same directory, you'd have to move some directories up.

[whitt]

so im safe to put it in public_html/includes?

[Jacques1]

You can answer that yourself – in fact, you're the only one who can answer it, because we don't know your site.

 

What happens when you request the scripts? 

[whitt]

Applogies , basically im just attempting to adapt the attached script to use SMTP as my server doesnt support phpmail

contact_me.php

[Jacques1]

I don't see how that answers the question.

 

What I do see, though, is that the script has no security whatsoever and basically allows anybody to use your server as an open mail relay for arbitrary messages. If the spammers find this, your server will be blacklisted in no time, and hosters usually don't find that very funny.

 

The mail() function is generally the worst possible choice, because it's a low-level feature for experts. If I understand you correctly, you used PHPMailer before (which is a much better idea). What's wrong with that?

[whitt]

I only used the mail function due to the tutorial i followed , im in the process of relearning everything so sorry if im slow.

[whitt]

I did read this http://www.9lessons.info/2009/10/send-mail-using-smtp-and-php.html but im not sure how to adapt my form

[Jacques1]

Don't use random code you found somewhere on the Internet. Most of it is crap, and that one is no exception. The part about zero security applies here as well.

 

Again: What makes you think that your server doesn't support PHPMailer? This is by far the best solution, and it supports many different PHP versions and many different scenarios. It makes much more sense to figure out this problem rather than jump to some nonsense script from 2009.

Edited September 8, 2014 by Jacques1

[whitt]

The 9lessons link was the only answer i could get out of my server host who i emailed about using SMTP. I understand where you are coming from i will not do this in future. How would i adapt php mailer into my existing code? 

[whitt]

The continued help is appreciated. 

[Jacques1]

It's difficult to make sense of this all.

 

After reading it again, it seems your problem is that you're not allowed to use the mail() function and now look for an alternative way of sending mails. Is this true? In that case, you need access to an external mail relay (e. g. a Gmail account). Do you have that?

[whitt]

It's difficult to make sense of this all.

 

After reading it again, it seems your problem is that you're not allowed to use the mail() function and now look for an alternative way of sending mails. Is this true? In that case, you need access to an external mail relay (e. g. a Gmail account). Do you have that?

Yes this is the problem , i am currently using a gmail account.sorry if im not making much sense i am unable to describe things very well.

[Jacques1]

There's an example for using external SMTP servers on the PHPMailer page. Download the library, include it as explained in the README and then enter your Gmail credentials like in the example.

[whitt]

And this can take my JSON data and use it like my original script does then send it?

[Jacques1]

JSON data? I see no JSON data in your script.

[whitt]

JSON data? I see no JSON data in your script.

Oh i think i know why its been confusing.

 

It didnt attach my JS file 

 

/*

  Jquery Validation using jqBootstrapValidation

   example is taken from jqBootstrapValidation docs 

  */

$(function() {

 

 $("input,textarea").jqBootstrapValidation(

    {

     preventSubmit: true,

     submitError: function($form, event, errors) {

      // something to have when submit produces an error ?

      // Not decided if I need it yet

     },

     submitSuccess: function($form, event) {

      event.preventDefault(); // prevent default submit behaviour

       // get values from FORM

       var name = $("input#name").val();  

       var email = $("input#email").val(); 

       var message = $("textarea#message").val();

       var subject = $("select#subject").val(); 

        var firstName = name; // For Success/Failure Message

           // Check for white space in name for Success/Fail message

        if (firstName.indexOf(' ') >= 0) {

  firstName = name.split(' ').slice(0, -1).join(' ');

         }        

$.ajax({

                url: "./bin/contact_me.php",

            type: "POST",

            data: {name: name, email: email, message: message, subject: subject},

            cache: false,

            success: function() {  

            // Success message

              $('#success').html("<div class='alert alert-success'>");

              $('#success > .alert-success').html("<button type='button' class='close' data-dismiss='alert' aria-hidden='true'>×")

            .append( "</button>");

             $('#success > .alert-success')

            .append("<strong>Your message has been sent. </strong>");

   $('#success > .alert-success')

  .append('</div>');

     

   //clear all fields

   $('#contactForm').trigger("reset");

       },

    error: function() {

  // Fail message

  $('#success').html("<div class='alert alert-danger'>");

            $('#success > .alert-danger').html("<button type='button' class='close' data-dismiss='alert' aria-hidden='true'>×")

            .append( "</button>");

            $('#success > .alert-danger').append("<strong>Sorry "+firstName+" it seems that my mail server is not responding...</strong> Could you please email me directly to <a href='mailto:me@example.com?Subject=Message_Me from myprogrammingblog.com'>me@example.com</a> ? Sorry for the inconvenience!");

         $('#success > .alert-danger').append('</div>');

  //clear all fields

  $('#contactForm').trigger("reset");

     },

           })

         },

         filter: function() {

                   return $(this).is(":visible");

         },

       });

 

      $("a[data-toggle=\"tab\"]").click(function(e) {

                    e.preventDefault();

                    $(this).tab("show");

        });

  });

 

 

/*When clicking on Full hide fail/success boxes */ 

$('#name').focus(function() {

     $('#success').html('');

  });

[Jacques1]

There's still no JSON data anywhere.

 

I guess your actual question is whether you can call your e-mail script with Ajax. Yes. Everything works like before, the only difference is that you replace the mail() function with PHPMailer.

[whitt]

Ok Thanks i confused AJAX with json sorry i dont know why i said JSON

[Richard_Grant]

set the configuration details in a .htaccess as an environment variable. 

I made the text really big because that's what you should be doing. ALWAYS with sensitive information.

[whitt]

set the configuration details in a .htaccess as an environment variable. 

I made the text really big because that's what you should be doing. ALWAYS with sensitive information.

 can i use both php mailer an this? 

[Jacques1]

Using big blue letters doesn't increase the credibility of your replies.

 

So please don't. I think we can talk without a loudspeaker here.

 

I'd actually argue that your .htaccess files are less secure than simply keeping the credentials in a PHP configuration script:

• You put the sensitive data where people don't expect it (like the $_SERVER array). As a result, they may fail to protect the credentails.
• You automatically make the data available to every single script within the scope of the .htaccess file, which is entirely unnecessary and again increases the risk of leaking the credentials. Only the scripts which actually need the data should include it.

Storing credentials in PHP scripts is perfectly fine and by far the simplest approach. If you want to go against that, you need better arguments than the size of your letters.

[whitt]

So can php mailer take post variables?

[Jacques1]

PHPMailer works like any other PHP class, so you can use variables, constants, functions or whatever.

 

Just try it. If you have concrete issues, post your code.