whitt Posted September 8, 2014 Share Posted September 8, 2014 I've just gotten back into re learning web development, I have created a contact form however my server is forcing me to use SMTP which will require me to have a config include with my details inside. How do I ensure nobody can open the files in the browser? I have heard of putting the files outside of the webroot or using htaccess files however the passive aggressive answers I got from stack over flow didn't tell me HOW to implement them. The files are Form.HTML Bin/config.php Bin/mail.php Any help is appreciated. Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/ Share on other sites More sharing options...
deathbeam Posted September 8, 2014 Share Posted September 8, 2014 If you are not echoing your configuration from config.php and mail.php, then it is safe. When users will open config.php they will see blank page. 1 Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490345 Share on other sites More sharing options...
Jacques1 Posted September 8, 2014 Share Posted September 8, 2014 What's the goal of hiding the files? As deathbeam already said, the PHP scripts shouldn't output anything at all, which means there's nothing to hide. And the form is already public, isn't it? The only reason for why you would hide the files is if you insist on a clean API: You don't want “dead” resources which can be accessed with a URL but have no content. In that case, simply store the internal scripts somewhere outside of the document root and adjust the file paths of your include statements. So instead of assuming that all scripts are in the same directory, you'd have to move some directories up. Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490358 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 so im safe to put it in public_html/includes? Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490359 Share on other sites More sharing options...
Jacques1 Posted September 8, 2014 Share Posted September 8, 2014 You can answer that yourself – in fact, you're the only one who can answer it, because we don't know your site. What happens when you request the scripts? Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490360 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 Applogies , basically im just attempting to adapt the attached script to use SMTP as my server doesnt support phpmail contact_me.php Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490362 Share on other sites More sharing options...
Jacques1 Posted September 8, 2014 Share Posted September 8, 2014 I don't see how that answers the question. What I do see, though, is that the script has no security whatsoever and basically allows anybody to use your server as an open mail relay for arbitrary messages. If the spammers find this, your server will be blacklisted in no time, and hosters usually don't find that very funny. The mail() function is generally the worst possible choice, because it's a low-level feature for experts. If I understand you correctly, you used PHPMailer before (which is a much better idea). What's wrong with that? Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490363 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 I only used the mail function due to the tutorial i followed , im in the process of relearning everything so sorry if im slow. Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490364 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 I did read this http://www.9lessons.info/2009/10/send-mail-using-smtp-and-php.html but im not sure how to adapt my form Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490366 Share on other sites More sharing options...
Jacques1 Posted September 8, 2014 Share Posted September 8, 2014 (edited) Don't use random code you found somewhere on the Internet. Most of it is crap, and that one is no exception. The part about zero security applies here as well. Again: What makes you think that your server doesn't support PHPMailer? This is by far the best solution, and it supports many different PHP versions and many different scenarios. It makes much more sense to figure out this problem rather than jump to some nonsense script from 2009. Edited September 8, 2014 by Jacques1 1 Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490367 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 The 9lessons link was the only answer i could get out of my server host who i emailed about using SMTP. I understand where you are coming from i will not do this in future. How would i adapt php mailer into my existing code? Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490368 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 The continued help is appreciated. Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490371 Share on other sites More sharing options...
Jacques1 Posted September 8, 2014 Share Posted September 8, 2014 It's difficult to make sense of this all. After reading it again, it seems your problem is that you're not allowed to use the mail() function and now look for an alternative way of sending mails. Is this true? In that case, you need access to an external mail relay (e. g. a Gmail account). Do you have that? Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490372 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 It's difficult to make sense of this all. After reading it again, it seems your problem is that you're not allowed to use the mail() function and now look for an alternative way of sending mails. Is this true? In that case, you need access to an external mail relay (e. g. a Gmail account). Do you have that? Yes this is the problem , i am currently using a gmail account.sorry if im not making much sense i am unable to describe things very well. Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490373 Share on other sites More sharing options...
Jacques1 Posted September 8, 2014 Share Posted September 8, 2014 There's an example for using external SMTP servers on the PHPMailer page. Download the library, include it as explained in the README and then enter your Gmail credentials like in the example. Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490375 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 And this can take my JSON data and use it like my original script does then send it? Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490376 Share on other sites More sharing options...
Jacques1 Posted September 8, 2014 Share Posted September 8, 2014 JSON data? I see no JSON data in your script. Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490378 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 JSON data? I see no JSON data in your script. Oh i think i know why its been confusing. It didnt attach my JS file /* Jquery Validation using jqBootstrapValidation example is taken from jqBootstrapValidation docs */ $(function() { $("input,textarea").jqBootstrapValidation( { preventSubmit: true, submitError: function($form, event, errors) { // something to have when submit produces an error ? // Not decided if I need it yet }, submitSuccess: function($form, event) { event.preventDefault(); // prevent default submit behaviour // get values from FORM var name = $("input#name").val(); var email = $("input#email").val(); var message = $("textarea#message").val(); var subject = $("select#subject").val(); var firstName = name; // For Success/Failure Message // Check for white space in name for Success/Fail message if (firstName.indexOf(' ') >= 0) { firstName = name.split(' ').slice(0, -1).join(' '); } $.ajax({ url: "./bin/contact_me.php", type: "POST", data: {name: name, email: email, message: message, subject: subject}, cache: false, success: function() { // Success message $('#success').html("<div class='alert alert-success'>"); $('#success > .alert-success').html("<button type='button' class='close' data-dismiss='alert' aria-hidden='true'>×") .append( "</button>"); $('#success > .alert-success') .append("<strong>Your message has been sent. </strong>"); $('#success > .alert-success') .append('</div>'); //clear all fields $('#contactForm').trigger("reset"); }, error: function() { // Fail message $('#success').html("<div class='alert alert-danger'>"); $('#success > .alert-danger').html("<button type='button' class='close' data-dismiss='alert' aria-hidden='true'>×") .append( "</button>"); $('#success > .alert-danger').append("<strong>Sorry "+firstName+" it seems that my mail server is not responding...</strong> Could you please email me directly to <a href='mailto:me@example.com?Subject=Message_Me from myprogrammingblog.com'>me@example.com</a> ? Sorry for the inconvenience!"); $('#success > .alert-danger').append('</div>'); //clear all fields $('#contactForm').trigger("reset"); }, }) }, filter: function() { return $(this).is(":visible"); }, }); $("a[data-toggle=\"tab\"]").click(function(e) { e.preventDefault(); $(this).tab("show"); }); }); /*When clicking on Full hide fail/success boxes */ $('#name').focus(function() { $('#success').html(''); }); Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490379 Share on other sites More sharing options...
Jacques1 Posted September 8, 2014 Share Posted September 8, 2014 There's still no JSON data anywhere. I guess your actual question is whether you can call your e-mail script with Ajax. Yes. Everything works like before, the only difference is that you replace the mail() function with PHPMailer. Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490380 Share on other sites More sharing options...
whitt Posted September 8, 2014 Author Share Posted September 8, 2014 Ok Thanks i confused AJAX with json sorry i dont know why i said JSON Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490381 Share on other sites More sharing options...
Richard_Grant Posted September 9, 2014 Share Posted September 9, 2014 set the configuration details in a .htaccess as an environment variable. I made the text really big because that's what you should be doing. ALWAYS with sensitive information. Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490430 Share on other sites More sharing options...
whitt Posted September 9, 2014 Author Share Posted September 9, 2014 set the configuration details in a .htaccess as an environment variable. I made the text really big because that's what you should be doing. ALWAYS with sensitive information. can i use both php mailer an this? Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490434 Share on other sites More sharing options...
Jacques1 Posted September 9, 2014 Share Posted September 9, 2014 Using big blue letters doesn't increase the credibility of your replies. So please don't. I think we can talk without a loudspeaker here. I'd actually argue that your .htaccess files are less secure than simply keeping the credentials in a PHP configuration script: You put the sensitive data where people don't expect it (like the $_SERVER array). As a result, they may fail to protect the credentails. You automatically make the data available to every single script within the scope of the .htaccess file, which is entirely unnecessary and again increases the risk of leaking the credentials. Only the scripts which actually need the data should include it. Storing credentials in PHP scripts is perfectly fine and by far the simplest approach. If you want to go against that, you need better arguments than the size of your letters. 2 Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490437 Share on other sites More sharing options...
whitt Posted September 9, 2014 Author Share Posted September 9, 2014 So can php mailer take post variables? Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490454 Share on other sites More sharing options...
Solution Jacques1 Posted September 9, 2014 Solution Share Posted September 9, 2014 PHPMailer works like any other PHP class, so you can use variables, constants, functions or whatever. Just try it. If you have concrete issues, post your code. 3 Quote Link to comment https://forums.phpfreaks.com/topic/290927-securing-include-files/#findComment-1490455 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.