用于订单确认电子邮件的 phpmailer 的安全性
[英]security of phpmailer for order confirmation emails
问题描述
I am wondering it using phpmailer for my confirmation emails is secure.
我想知道它使用 phpmailer 作为我的确认电子邮件是安全的。
the order of the pages goes like this:页面的顺序是这样的:
order_confirmation.php checkout_process.php (not technically seen by the user this is the page order confirmation information is sent to/email is sent out to user and order added to database) checkout_success.php order_confirmation.php checkout_process.php(技术上用户看不到这是页面订单确认信息发送到/电子邮件发送给用户并将订单添加到数据库中) checkout_success.php
On the checkout_process page though I am changing the way emails are sent to use phpmailer as we have seen exchange servers/gmail accounts were bouncing our emails back.在 checkout_process 页面上,虽然我正在更改发送电子邮件的方式以使用 phpmailer,因为我们已经看到 Exchange 服务器/gmail 帐户正在退回我们的电子邮件。
the emails are now working but I am wondering if it is secure to have our server info/password on the checkout_process.php page:电子邮件现在正在工作,但我想知道在 checkout_process.php 页面上拥有我们的服务器信息/密码是否安全:
try {
//Server settings
$mail->SMTPDebug = false; // Enable verbose debug output
$mail->isSMTP(); // Send using SMTP
$mail->Host = 'smtp.office365.com'; // Set the SMTP server to send through
$mail->SMTPAuth = true; // Enable SMTP authentication
$mail->Username = 'email@ourcompany.com'; // SMTP username
$mail->Password = 'our actual password'; // SMTP password
$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS; // Enable TLS encryption; `PHPMailer::ENCRYPTION_SMTPS` also accepted
$mail->Port = 587; // TCP port to connect to
//Recipients
$mail->setFrom('email@ourcompany.com', 'company name');
$mail->addAddress($order->customer['email_address'], $order->customer['firstname']); // Add a recipient
$mail->addReplyTo('email@ourcompany.com', 'company');
// Content
$mail->isHTML(true); // Set email format to HTML
$mail->Subject = EMAIL_TEXT_SUBJECT;
$mail->Body = $email_order;
$mail->AltBody = 'Your order with our company has shipped';
$mail->send();
echo 'order confirmation sent to order#:<br/>';
} catch (Exception $e) {
echo "Message could not be sent. Mailer Error: {$mail->ErrorInfo}";
1 个解决方案
解决方案1
1 已采纳 2020-01-04 17:44:48
In order to use any mail server, you will have to provide secret credentials, like your password.为了使用任何邮件服务器,您必须提供秘密凭证,例如您的密码。 Doing so doesn't by itself make anything insecure.这样做本身不会使任何事情变得不安全。 If someone manages to hack into your server, they can see this file and thus the password, but if it's stored somewhere else, they can just follow the same trail that this file will to fetch it.如果有人设法侵入您的服务器,他们可以看到这个文件和密码,但如果它存储在其他地方,他们可以按照与该文件相同的路径来获取它。 (If it's stored encrypted in a database, for example, this file will still need to get the database credentials and the decryption key from somewhere that the hacker would also have access to.) (例如,如果它以加密方式存储在数据库中,则此文件仍需要从黑客也可以访问的某个地方获取数据库凭据和解密密钥。)
That said, if your code here is in some sort of code repository (as it likely is), then that's not a suitable place to include the password.也就是说,如果您的代码位于某种代码存储库中(很可能是这样),那么这不是包含密码的合适位置。 Apart from hacking into your server, someone can now hack into your repository to get the password.除了入侵您的服务器之外,现在有人可以入侵您的存储库以获取密码。 To avoid this potential issue, your password should be stored somewhere else, which this file can reference.为避免此潜在问题,您的密码应存储在此文件可以引用的其他位置。 Common practice these days is to use a .env file for such details, with this file existing only on the server, not in any repository.现在的普遍做法是使用.env文件来获取此类详细信息,该文件仅存在于服务器上,而不存在于任何存储库中。 As a side benefit, it makes it easy to change the credentials (for your dev server, etc.) without touching your code.作为附带好处,它可以轻松更改凭据(用于开发服务器等),而无需更改代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.