I'm using a form on my website to send an email using the PEAR mail function. The email will send via gmail as described here - http://www.phpmaniac.net/wiki/index.php/Pear_Mail
I will therefore need to include something like the:
<?php
$smtp_params["host"] = "smtp.gmail.com";
$smtp_params["port"] = "25";
$smtp_params["auth"] = true;
$smtp_params["username"] = "[email protected]";
$smtp_params["password"] = "pass";
?>
Is it secure to put my username and password in the script like that? Obviously you wouldn't be able to see server-side script like this using 'View Source', but could you grab the source files via a web clipper or something and read the script that way? Thanks
You should certainly use SSL/TLS for the connection - simply because sending passwords in plaintext over an unencrypted channel is a bad idea.
The login data inside your PHP script is safe as long as the PHP interpreter works properly and there are no security holes in your PHP scripts that allow an attacker to view the sourcecode of your PHP files.
Against the risk of misconfiguration causing PHP sourcecode to be visible an easy improvement would be storing the config file outside the document root.