Reputation: 2188
Storing SMTP settings in database
I am using google's smtp server for sending emails from several sites. The password of gmail account is not encrypted and/or stored in database but hardcoded in the file that handles email forms. Is there any security risks in that approach? Should I create new gmail account for every site or just storing the password in database would be enough?
Upvotes: 4
Views: 2192
Answers (1)
Reputation: 449515
Storing sensitive data in clear text is never a great practice, but then, most PHP web sites store their E-Mail server data hardcoded in clear text somewhere. What I would never do, though, is hardcode the password to a full Google identity (perhaps with connected AdWords payment information etc.) in a PHP file. Google has a feature for this, more on that below.
In theory, you could store passwords in the database and encrypt them as discussed here for another layer of security but doing that right isn't trivial.
You should at the very least store the PHP file in question outside the web root. That way, even if the PHP interpreter fails (or .php files get disassociated from the interpreter in the configuration), the file can't be exposed to the world.
There's also Google's Application specific password feature. That will limit the damage caused by someone malicious gaining access to the password. In case of a break-in or misuse, you can also deactivate application-specific passwords without having to nuke the entire account.
Those two measures may already give you a reasonable degree of security for your situation.
Upvotes: 6
Related Questions
- laravel: how to set smtp settings from database
- smtp configuration for php mail
- PHPMailer SMTP configuration
- adding smtp authentication to PHP
- Save email config in CodeIgniter and changing a setting when needed
- Sending e-mail with SMTP using PHP
- Secure a SMTP password in PHP
- SMTP configuration
- How to apply SMTP Authentication to my mail
- Email: SMTP and php