Jump to content

securing include files


Go to solution Solved by Jacques1,

Recommended Posts

I've just gotten back into re learning web development, I have created a contact form however my server is forcing me to use SMTP which will require me to have a config include with my details inside. How do I ensure nobody can open the files in the browser? I have heard of putting the files outside of the webroot or using htaccess files however the passive aggressive answers I got from stack over flow didn't tell me HOW to implement them.

 

The files are

Form.HTML

Bin/config.php

Bin/mail.php

 

Any help is appreciated.

Link to comment
https://forums.phpfreaks.com/topic/290927-securing-include-files/
Share on other sites

What's the goal of hiding the files? As deathbeam already said, the PHP scripts shouldn't output anything at all, which means there's nothing to hide. And the form is already public, isn't it?

 

The only reason for why you would hide the files is if you insist on a clean API: You don't want “dead” resources which can be accessed with a URL but have no content. In that case, simply store the internal scripts somewhere outside of the document root and adjust the file paths of your include statements. So instead of assuming that all scripts are in the same directory, you'd have to move some directories up.

I don't see how that answers the question.

 

What I do see, though, is that the script has no security whatsoever and basically allows anybody to use your server as an open mail relay for arbitrary messages. If the spammers find this, your server will be blacklisted in no time, and hosters usually don't find that very funny.

 

The mail() function is generally the worst possible choice, because it's a low-level feature for experts. If I understand you correctly, you used PHPMailer before (which is a much better idea). What's wrong with that?

Don't use random code you found somewhere on the Internet. Most of it is crap, and that one is no exception. The part about zero security applies here as well.

 

Again: What makes you think that your server doesn't support PHPMailer? This is by far the best solution, and it supports many different PHP versions and many different scenarios. It makes much more sense to figure out this problem rather than jump to some nonsense script from 2009.

Edited by Jacques1
  • Like 1

It's difficult to make sense of this all.

 

After reading it again, it seems your problem is that you're not allowed to use the mail() function and now look for an alternative way of sending mails. Is this true? In that case, you need access to an external mail relay (e. g. a Gmail account). Do you have that?

It's difficult to make sense of this all.

 

After reading it again, it seems your problem is that you're not allowed to use the mail() function and now look for an alternative way of sending mails. Is this true? In that case, you need access to an external mail relay (e. g. a Gmail account). Do you have that?

Yes this is the problem , i am currently using a gmail account.sorry if im not making much sense i am unable to describe things very well.

JSON data? I see no JSON data in your script.

Oh i think i know why its been confusing.

 

It didnt attach my JS file 

 

/*
  Jquery Validation using jqBootstrapValidation
   example is taken from jqBootstrapValidation docs 
  */
$(function() {
 
 $("input,textarea").jqBootstrapValidation(
    {
     preventSubmit: true,
     submitError: function($form, event, errors) {
      // something to have when submit produces an error ?
      // Not decided if I need it yet
     },
     submitSuccess: function($form, event) {
      event.preventDefault(); // prevent default submit behaviour
       // get values from FORM
       var name = $("input#name").val();  
       var email = $("input#email").val(); 
       var message = $("textarea#message").val();
       var subject = $("select#subject").val(); 
        var firstName = name; // For Success/Failure Message
           // Check for white space in name for Success/Fail message
        if (firstName.indexOf(' ') >= 0) {
  firstName = name.split(' ').slice(0, -1).join(' ');
         }        
$.ajax({
                url: "./bin/contact_me.php",
            type: "POST",
            data: {name: name, email: email, message: message, subject: subject},
            cache: false,
            success: function() {  
            // Success message
              $('#success').html("<div class='alert alert-success'>");
              $('#success > .alert-success').html("<button type='button' class='close' data-dismiss='alert' aria-hidden='true'>×")
            .append( "</button>");
             $('#success > .alert-success')
            .append("<strong>Your message has been sent. </strong>");
   $('#success > .alert-success')
  .append('</div>');
     
   //clear all fields
   $('#contactForm').trigger("reset");
       },
    error: function() {
  // Fail message
  $('#success').html("<div class='alert alert-danger'>");
            $('#success > .alert-danger').html("<button type='button' class='close' data-dismiss='alert' aria-hidden='true'>×")
            .append( "</button>");
            $('#success > .alert-danger').append("<strong>Sorry "+firstName+" it seems that my mail server is not responding...</strong> Could you please email me directly to <a href='mailto:me@example.com?Subject=Message_Me from myprogrammingblog.com'>me@example.com</a> ? Sorry for the inconvenience!");
         $('#success > .alert-danger').append('</div>');
  //clear all fields
  $('#contactForm').trigger("reset");
     },
           })
         },
         filter: function() {
                   return $(this).is(":visible");
         },
       });
 
      $("a[data-toggle=\"tab\"]").click(function(e) {
                    e.preventDefault();
                    $(this).tab("show");
        });
  });
 
 
/*When clicking on Full hide fail/success boxes */ 
$('#name').focus(function() {
     $('#success').html('');
  });

Using big blue letters doesn't increase the credibility of your replies.

 

So please don't. I think we can talk without a loudspeaker here.

 

I'd actually argue that your .htaccess files are less secure than simply keeping the credentials in a PHP configuration script:

  • You put the sensitive data where people don't expect it (like the $_SERVER array). As a result, they may fail to protect the credentails.
  • You automatically make the data available to every single script within the scope of the .htaccess file, which is entirely unnecessary and again increases the risk of leaking the credentials. Only the scripts which actually need the data should include it.

Storing credentials in PHP scripts is perfectly fine and by far the simplest approach. If you want to go against that, you need better arguments than the size of your letters.

  • Like 2
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.