Jump to content


Photo
- - - - -

PHPMailer script password security


  • Please log in to reply
31 replies to this topic

#1 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 26 July 2017 - 03:15 PM

I'm using PHPMailer from

 

https://github.com/PHPMailer/PHPMailer

 

to create on online form and have a question ... How to safely store a password inside PHP code?

 

 


#2 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 26 July 2017 - 03:55 PM

 

I'm using PHPMailer from

 

https://github.com/PHPMailer/PHPMailer

 

to create on online form and have a question ... How to safely store a password inside PHP code?

 

 

 

 

This won't be the password for your email account, it will be the password for your SMTP server. Most SMTP providers will give you a generated key for this field that you can generate again at any time.

 

In short, storing passwords in PHP can be dangerous. If you have a broken PHP installation, you could potentially render your source code in HTML back to the user. It's generally safer to store anything like this outside of the web root where it can't be browsed.

 

The reason why sending services give you a key instead of using your account username & password, is because you can't login or do much with the key, it's also something you can revoke instantly if you see something unusual.

 

If you're concerned with security, I would avoid building your own contact form, unless you're confident you can sanitise and check the data coming in correctly.



#3 DonkeyWorx

DonkeyWorx

    Forum Newcomer

  • Members
  • Pip
  • 51 posts
  • Gender:Male
  • Experience:Intermediate
  • Area of Expertise:Designer

Posted 27 July 2017 - 08:44 AM

 

...If you're concerned with security, I would avoid building your own contact form, unless you're confident you can sanitise and check the data coming in correctly.

 

I'd just put my learner plates back on for building my own contact form... and was working from this -https://www.w3school..._validation.asp

 

Is that what you mean or is there more? I'm not storing passwords to DB just sending an email so just assumed I needed to avoid script exploits? Most of the prebuilt forms with security I've seen so far just include captcha rather than do much sanitising.



#4 BrowserBugs

BrowserBugs

    Unhinged

  • Privileged
  • PipPipPipPipPip
  • 2,116 posts
  • Gender:Male
  • Location:Surrey, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 27 July 2017 - 09:11 AM

 

I'd just put my learner plates back on for building my own contact form... and was working from this -https://www.w3school..._validation.asp

 

Is that what you mean or is there more? I'm not storing passwords to DB just sending an email so just assumed I needed to avoid script exploits? Most of the prebuilt forms with security I've seen so far just include captcha rather than do much sanitising.

 

Script exploits is one area to address, captcha is anti spam. I think what Jack was referring to was validating the expected data which in turn is part anti spam and part security. E.g. if you had a select list as follows;

<select name="gender">
<option value="1">Male</option>
<option value="2">Female</option>
</select>

... then one way to check your form is valid would be;

<?php
$gender = intval($_POST['gender']); // We know that the gender select is numeric.
if($gender<1 || $gender>=3) {
  // How did they post gender without it being a 1 or 2? Fishy eh?
}
?>


#5 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 27 July 2017 - 09:59 AM

 

I'd just put my learner plates back on for building my own contact form... and was working from this -https://www.w3school..._validation.asp

 

Is that what you mean or is there more? I'm not storing passwords to DB just sending an email so just assumed I needed to avoid script exploits? Most of the prebuilt forms with security I've seen so far just include captcha rather than do much sanitising.

 

Basically, I would be looking to incorporate the following:

  • Form validation (server and client-side, but server is more important)
  • Anti-spam (probably using a honeypot field)
  • Data sanitising to avoid XSS attacks
  • Verifying any file uploads have a legitimate file, not an empty file or a spoofed mime-type. This is quite hard to do as it's something you can't do on upload, it's a process that has to happen once the server has received the file.


#6 DonkeyWorx

DonkeyWorx

    Forum Newcomer

  • Members
  • Pip
  • 51 posts
  • Gender:Male
  • Experience:Intermediate
  • Area of Expertise:Designer

Posted 31 July 2017 - 11:19 AM

Thanks both, at least I know the scope of work now. I've got the basic security done to avoid XSS and will add honeypot anti-spam and form validation ASAP.



#7 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 31 July 2017 - 12:33 PM

sorry Guys, I'm probably not good enough to understand the responses but ..

 

my email form can include an attachment and it calls a php script that uses PHPMailer.

 

$mail = new PHPMailer;
 
but I can only get this to work by including my password
 
$mail->Password = 'myPassword';
 
I prefer not to have my password in a php file so I wondered what my options were?
 
https://stackoverflo...ail-credentials this looks more like it putting my password in a config.ini file outside the root but not sure how to store a file outside the root?
 
also I'm using Godaddy Plesk and I've read that Godaddy shared hosting doesn't give you access to any directories above your website's document root? 

Edited by fnets, 31 July 2017 - 12:47 PM.


#8 BrowserBugs

BrowserBugs

    Unhinged

  • Privileged
  • PipPipPipPipPip
  • 2,116 posts
  • Gender:Male
  • Location:Surrey, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 31 July 2017 - 03:23 PM

Hmm I don't use PHPMailer, just plain old php mail() function which requires no passwords. Here's a basic demo but it covers multipart mixed messages.

 

Edit: Forgot to say don't forget to check what type of file you are dealing with and make sure it's legit. Don't just assume a file extension. See http://php.net/manual/en/book.fileinfo.php. 


Edited by BrowserBugs, 31 July 2017 - 03:26 PM.


#9 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 31 July 2017 - 11:07 PM

 

sorry Guys, I'm probably not good enough to understand the responses but ..

 

my email form can include an attachment and it calls a php script that uses PHPMailer.

 

$mail = new PHPMailer;
 
but I can only get this to work by including my password
 
$mail->Password = 'myPassword';
 
I prefer not to have my password in a php file so I wondered what my options were?
 
https://stackoverflo...ail-credentials this looks more like it putting my password in a config.ini file outside the root but not sure how to store a file outside the root?
 
also I'm using Godaddy Plesk and I've read that Godaddy shared hosting doesn't give you access to any directories above your website's document root? 

 

 

Most hosting companies won't let you touch a config.ini file without having a VPS or dedicated server, and rightfully so, people would be taking their sites down all the time.

 

If you can, use a sending service like Sendgrid, Postmark, Sparkpost or Mailgun. All of them are free for 10,000+ emails a month, don't have any ads, and are considerably more reliable than sending email off your own server. If you're sending off a GoDaddy shared server, don't be surprised if the IP has been blacklisted, or has a poor sending reputation, email will end up getting caught in spam folders or not even sent.

 

Don't be put off if they mention API's and stuff on the homepage. Once your domain is setup, you can use the credentials they provide, as well as a generated key in your SMTP settings and that's basically it.



#10 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 01 August 2017 - 10:47 AM

ok thanks will explore. I'm only using PHPMail because I was told its easier to allow attachments? I think Sendgrid, Postmark, Sparkpost or Mailgun are subscription but will take a look.

 

out on interest what would be the problem with reading a password from a file in a folder with restricted permission?


Edited by fnets, 01 August 2017 - 10:54 AM.


#11 BrowserBugs

BrowserBugs

    Unhinged

  • Privileged
  • PipPipPipPipPip
  • 2,116 posts
  • Gender:Male
  • Location:Surrey, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 01 August 2017 - 12:00 PM

out on interest what would be the problem with reading a password from a file in a folder with restricted permission?

 

To be honest mate so long as you can't gain access to it in any way from the front end then I can't see a problem, even storing outside the root if they breach your site via ftp / ssh then it really makes no difference at that point, you're pretty much screwed anyway.

 

Edit: PHPMailer is quicker, but it needs to be setup and relies on support from the library on GitHub. If you're learning I'd suggest the native mail method to understand about multipart messages with boundaries.


Edited by BrowserBugs, 01 August 2017 - 12:03 PM.


#12 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 01 August 2017 - 12:36 PM

ok thanks. yes I used the native mail first and now using PHPMailer. I have managed to setup ok using the GitHub library. 

 

I was also wondering if DropBox was an option?


Edited by fnets, 01 August 2017 - 12:44 PM.


#13 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 01 August 2017 - 01:29 PM

ok thanks will explore. I'm only using PHPMail because I was told its easier to allow attachments? I think Sendgrid, Postmark, Sparkpost or Mailgun are subscription but will take a look.
 
out on interest what would be the problem with reading a password from a file in a folder with restricted permission?

 
These services just send the mail for you, it doesn't matter if your form is using PHPMail or something else, the transporting of the email once it has sent is handled by the third-party. Sending from your own server is risky, these services exist to provide a higher delivery rate. I prefer third-party services because they give you an idea of how successful your sent mail is, otherwise you have no idea unless you start pulling out log files. At my old job we had our own SMTP server, and there's nothing worse than getting a support ticket from a client calling saying someone emailed but they never received it, it's a nightmare to find out what happened.
 
If you use one of these services you will get a generated key to use instead of a password, which is safe enough. You can restrict the sending IP to your servers IP so that even if the credentials are stolen, the attacker can't send mail using your account anyway. To be honest, though, your efforts are best spent securing your form.
 

To be honest mate so long as you can't gain access to it in any way from the front end then I can't see a problem, even storing outside the root if they breach your site via ftp / ssh then it really makes no difference at that point, you're pretty much screwed anyway.


Most hosting providers with FTP won't let you anywhere near the files outside of the root, and SSH can be locked down considerably more, it's unlikely anyone will know your private SSH key unless you've given it out. I get what you're saying though.

 

The issue is if someone tries to exploit the form and manages to get an error out of it, sometimes these errors are enough to get the source code returned back to the attacker with the credentials in. If your credentials are an API key, and you've locked it down, it's not much use.

 

This is why most CMS systems will encourage you to place the app files outside of your public directory. If a plugin or PHP error causes the file contents to be returned, these files aren't viewable from your domain. That's how I understand it anyway.



#14 BrowserBugs

BrowserBugs

    Unhinged

  • Privileged
  • PipPipPipPipPip
  • 2,116 posts
  • Gender:Male
  • Location:Surrey, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 01 August 2017 - 01:38 PM

 
The issue is if someone tries to exploit the form and manages to get an error out of it, sometimes these errors are enough to get the source code returned back to the attacker with the credentials in. If your credentials are an API key, and you've locked it down, it's not much use.

 

Ah yeah totally see your point here, I forget that there's so much I normally include in my core that suppresses these notifications on live sites; e.g.

<?php
$live = true;
if($live) {
error_reporting (E_ALL ^ E_NOTICE);
}
?> 

I toggle live on and off for beta testing or live version ;)



#15 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 01 August 2017 - 03:48 PM

I'll give it a try, thanks.

 

Any preference ... Sendgrid, Postmark, Sparkpost or Mailgun ?



#16 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 01 August 2017 - 04:37 PM

I'll give it a try, thanks.

 

Any preference ... Sendgrid, Postmark, Sparkpost or Mailgun ?

 

Not really, I've heard good things about all of them. I use Sendgrid at work and it's pretty good, it will be more than sufficient for what you need it for.



#17 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 02 August 2017 - 07:28 AM

one final question ... is CRM another way to handle email safely (obviously in addition to other features)?



#18 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 02 August 2017 - 08:07 AM

just registered sendgrid but unfortunately a bit lost ... selected php and got to step 2 create key.

 

have this in front of me in Dreamweaver 

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<body>
</body>
</html> 

what do I do? but step 3 is Create an environment variable?

 

I think this is probably for experienced web developers? (I am experienced with C++) Have submitted a question.

 

Youtube https://youtu.be/zjL4g4FXaQ4 setting up and using SendGrid talks about Exelare which I've never heard of. Don't mind educating myself but are you sure this is a good starting point?


Edited by fnets, 02 August 2017 - 08:52 AM.


#19 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 02 August 2017 - 08:42 AM

just registered sendgrid but unfortunately a bit lost ... selected php and got to create key.
 
I think this is for experienced web developers?

 
You don't need to specify any language because you're not using the API. You need to setup your SMTP relay, which will give you the details you need to update your contact form script (SMTP server, username, password). If you're logged in, there's a guide that walks you through it here https://app.sendgrid.com/guide. Select 'Integrate using our Web API or SMTP relay' then 'SMTP Relay', create an API key giving it the name of your project or site. You should be able to send with the details they give you once you've updated your PHP script and submitted a test entry.

 

It generally is for more experienced developers, but the SMTP side is really straight-forward if your PHP script is already set to send out using SMTP. If you get it working, it should make a little more sense in terms of what it does, you'll be able to start seeing your mail come through, view stats etc. Honestly, the only way to get experience with this sort of thing is to do it, get it working, then you can look back and think that in a week you've built a contact form, and integrated it into a third-party sending service. Not bad.



#20 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 02 August 2017 - 09:23 AM

yes I agree and I want to learn.

 

sorry to be stupid but I seem to be missing some major steps here ... from https://app.sendgrid...rate/langs/smtp I've created a key and the step 2 Configure you application - what application? should I have installed something somewhere?

 

I feel like I've started mid-way and missed out the first steps?


Edited by fnets, 02 August 2017 - 09:28 AM.


#21 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 02 August 2017 - 09:31 AM

yes I agree and I want to learn.

 

sorry to be stupid but I seem to be missing some major steps here ... from https://app.sendgrid...rate/langs/smtp I've created a key and the step 2 Configure you application - what application? should I have installed something somewhere?

 

I feel like I've started mid-way and missed out the first steps?

 

Your contact form. Put the details they give you into the SMTP settings in PHPMailer.


Edited by Jack, 02 August 2017 - 09:36 AM.


#22 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 02 August 2017 - 09:41 AM

ok thanks for helping ...
 
so from sendgrid
 
Server smtp.sendgrid.net
Ports
25, 587 (for unencrypted/TLS connections)
465 (for SSL connections)
Username apikey
Password YOUR_API_KEY
 
need to go in my php file
 
$mail->isSMTP();
$mail->Host = 'smtp.sendgrid.net';
$mail->SMTPAuth = true;
$mail->Username = 'apikey'; 
$mail->Password = 'key they gave me';
$mail->SMTPSecure = 'ssl'; 
$mail->Port = 465;
 
and then use php mail to send.
 
what's confusing is I think step 1 should. be download/install files and step 2 update the files that were downloaded? "Configure Your Application" could refer to anything?

Edited by fnets, 02 August 2017 - 09:54 AM.


#23 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 02 August 2017 - 09:49 AM

 

ok thanks for helping ...
 
so from sendgrid
 
Server smtp.sendgrid.net
Ports
25, 587 (for unencrypted/TLS connections)
465 (for SSL connections)
Username apikey
Password YOUR_API_KEY
 
need to go in my php file
 
$mail->isSMTP();
$mail->Host = 'smtp.sendgrid.net';
$mail->SMTPAuth = true;
$mail->Username = 'apikey'; 
$mail->Password = 'key they gave me';
$mail->SMTPSecure = 'ssl'; 
$mail->Port = 465;
 
and then use php mail to send.

 

 

That should do it. The only thing you might need to change is the port, if you can't get data through, try one of the non-SSL ports for now and remove the SMTPSecure option.



#24 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 02 August 2017 - 10:08 AM

ok yes it worked. thanks for helping. presumably if I add an attachment to phpmailer that should also work?



#25 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 02 August 2017 - 10:11 AM

can I quickly ask how I send emails from my form to my email account? ... ok got it


Edited by fnets, 02 August 2017 - 10:14 AM.


#26 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 02 August 2017 - 10:23 AM

ok yes it worked. thanks for helping. presumably if I add an attachment to phpmailer that should also work?

 

Yeah, Sendgrid just handles the transportation of your mail, it doesn't care about the content. You can also create branded templates that your content gets put into before sending out, but I've never used anything like that. I think it can do newsletters too, similar to Mailchimp or Campaign Monitor.

 

You should look at configuring sending from your domain so the from address isn't coming from Sendgrid, but you'll need to add some DNS records to verify your domain. There's some more info on it here https://sendgrid.com...elabel/faq.html.

 

I would recommend setting up a new API key for every site or project going forward. You don't need to have a new one for every contact form, but if a key gets stolen you can revoke access to just that one site and not every site using it.



#27 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 02 August 2017 - 10:25 AM

are all emails html?

 

$mail->isHTML(false); I don't think this has any effect?

 

but thanks for introducing me to something safe and secure (and faster).


Edited by fnets, 02 August 2017 - 10:26 AM.


#28 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 02 August 2017 - 10:28 AM

are all emails html?

 

$mail->isHTML(false); I don't think this has any effect?

 

It depends if you want to send plain text, or if you want formatting in your email. If you're receiving contact form entries it's sometimes nicer to spit them out in a table to make them more readable.



#29 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 10 August 2017 - 08:40 AM

I think I understand the need for SendGrid but as an aside is this PHPMailer answer valid?.

 

"The fact that it is served as a php file means that no-one should see it anyway, so security isn't an issue."
 


#30 Jack

Jack

    NaN

  • Moderators
  • PipPipPipPipPip
  • 3,205 posts
  • Gender:Male
  • Location:Jersey Channel Islands
  • Experience:Advanced
  • Area of Expertise:Web Designer

Posted 10 August 2017 - 10:25 AM

 

I think I understand the need for SendGrid but as an aside is this PHPMailer answer valid?.

 

"The fact that it is served as a php file means that no-one should see it anyway, so security isn't an issue."
 

 

 

Not quite, usually it's secure enough, but if your PHP service stops running for whatever reason, your code won't be executed and it will be output in plain text instead. The way you get around this, is to put sensitive files outside of your public root directory, that way even if PHP stops running, the files can't be browsed.



#31 fnets

fnets

    Forum Newcomer

  • Members
  • Pip
  • 31 posts
  • Gender:Male
  • Location:Hampshire, UK
  • Experience:Intermediate
  • Area of Expertise:I'm Learning

Posted 10 August 2017 - 05:13 PM

ok got it thanks



#32 rallport

rallport

    Laravel 5 Rocks

  • Moderators
  • PipPipPipPipPipPip
  • 5,949 posts
  • Gender:Male
  • Location:England, UK
  • Experience:Web Guru
  • Area of Expertise:Web Developer

Posted 22 October 2017 - 05:20 PM

 

I'd just put my learner plates back on for building my own contact form... and was working from this -https://www.w3school..._validation.asp

 

Is that what you mean or is there more? I'm not storing passwords to DB just sending an email so just assumed I needed to avoid script exploits? Most of the prebuilt forms with security I've seen so far just include captcha rather than do much sanitising.

 

That's an awful link, typical w3 schools. They are not describing validation, they're describing a (crap) method of sanitization.

 

Validation would enforce things like input length, the validity of email or ensuring select values are valid.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users