2014-07-15 20:07


  • security
  • php
  • email

I've searched around for this answer, and have found a few "solutions", but I don't think I quite understand how to accomplish this. I just finished a query-mobile site that has 11 different PHP files for mailing form submittals. This being my first mobile "site", I wasn't too concerned with security at first, more functionality. Well, now that everything is functioning properly, I need to worry about locking it down. Those 11 PHP files are located in the same directory as all of my HTML files, and they contain the SMTP creds for submitting the email. Some of the solutions I've found say to locate those files outside of the webroot, but how would I reference them in my form action? Does this mean that I should just create a subfolder under the root and place them there and reference them instead of

<form method="post" action="bp-mail.php" enctype="multipart/form-data" data-ajax="false">

but now like

<form method="post" action="/scripts/bp-mail.php" enctype="multipart/form-data" data-ajax="false">

...or do they need to be located in a directory "above" the root in the webserver? If a subfolder is where they should go, what type of permissions should I place on the directory to allow the html pages to still call them, but not allow someone with some site-ripping software from grabbing them? If above the root, how should the path syntax be in the the form code?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • douxi1968 douxi1968 7年前

    There are two types of file. Those that are interacted with directly (you load them in the URL, they run on the server, then they show you a response), and those you include from other files.

    By the looks of things, bp-mail.php is a file you interact with directly.

    This file should not contain your credentials.

    If - for some crazy reason - Apache stopped parsing that file as PHP and defaulted to plain-text as it can do (happened to Facebook once) then people would just see your passwords.

    Not cool.

    Put that file outside of the web route, and use $config = require(dirname(__DIR__).'/config.php'); or something simple like that to include the file, then just reference the variables in that file.

    That config file could look like this:

    return [
        'smtp' => [
            'username' => '',
            'password' => '',

    Then in bp-mail.php you can use $config['smtp']['username'];, and if anyone sees that in plain text then who cares.

    点赞 评论 复制链接分享