问题
I'm going to use the phpmailer class in my WordPress-plugin to support the use of SMTP in my e-mail function. Is it safe to store the password in the PHP code? I don't feel 100% comfortable with leaving my login there. So my questions: Is it safe enough? How can I easily make it more secure; should I hash it in a database or something? I know MD5 isn't really that secure, but I guess it is better than putting the password in the source code?
回答1:
Essentially you can't - and there are many posts on here saying exactly that. You can however obfuscate it to keep opportunists away. The most straightforward way is to put your password in an external config file (which helps you avoid obvious mistakes like checking your password into github). You can encrypt it to some extent, but at some point you need to decrypt it with some other supposedly secret key, so you're back at square one.
md5 and sha1 (or any other hashing function) have nothing to do with this question; hash functions are simply not applicable to this use case.
回答2:
Tons of sites store passwords inside PHP source code. If a password is stored inside <?php ... ?> tags, it can be considered secure.
PHP source code is rendered by the PHP engine before being exposed, which is a necessary security component. There is no known way to read it, unless your site itself has security vulnerabilities.
Sources:
Possible to view PHP code of a website?
http://www.webmasterworld.com/forum88/10926.html
Read source code with PHP
http://www.vodahost.com/vodatalk/mysql-php/15061-php-source-code-php-files.html
来源:https://stackoverflow.com/questions/25824327/secure-a-smtp-password-in-php