I am using PHPMailer to send emails in PHP using SMTP with username & password authorization.
It works well, but I am concerned about hard coding the SMTP username & password in the php file.
Other threads on Stack Overflow have suggested "storing the username & password in an 'ini' file outside of the web server / document root"
So I've stored it in inetpub, but before wwwwroot. Eg. E:\inetpub\smtp.ini
Where as my websites are stored in E:\inetpub\wwwroot\exampleWebsite
My question is: Is my smtp.ini file stored in a 'non-public' area? In other words, if a website user can access wwwroot, can they also access a file in inetpub? Or is there a better folder / sub folder I should be storing it in?
My PHP code is as follows:
$path = realpath('/inetpub/smtp.ini');
$config = parse_ini_file($path, true);
$mail = new PHPMailer(true);
$mail->isSMTP();
$mail->Host = 'outlook.office365.com';
$mail->SMTPAuth = true;
$mail->Username = $config['smtp']['un'];
$mail->Password = $config['smtp']['pw'];
// ... rest of mail function ...
$mail->send();
