I have a table that stores google smtp mail information using php and mysql the appearance of this table is as follows
id|email |port |smtpsecure |smtpauth |smtpdebug |host |password |group_id
1 |groupone@gmail.com |465 |ssl |true |0 |smtp.gmail.com |strongpass1 |1
2 |grouptwo@gmail.com |465 |ssl |true |0 |smtp.gmail.com |strongpass2 |2
3 |groupthree@gmail.com|465 |ssl |true |0 |smtp.gmail.com |strongpass3 |3
4 |groupfour@gmail.com |465 |ssl |true |0 |smtp.gmail.com |strongpass4 |4
As you can see the group_id is used to differentiate which mail is coming from which group but the password is in plain text format, which is not secure when one attack the database.
The most useful way to avoid such a situation is to save them in another file outside the web root or to configure the httpd.config file but according to my mechanism it wont works as intended since, The app access smtp mail configuration based on the session and what if we register multiple groups with different mails how can i solve it, anya suggestion please
Put your passwords in a file outside the web root, and load it from your scripts. So if you have a script at /var/www/mysite/webroot/index.php, put your credentials in /var/www/mysite/credentials.php. This way the file is not accessible through the web directly, but your script can load it with:
$credentials = require '../credentials.php`;
You could use many formats for that file, but PHP will work ok, so you would do something like:
<?php
return [
1 => 'strongpass1',
2 => 'strongpass2',
3 => 'strongpass3',
4 => 'strongpass4',
];
This is just emulating what's in the database so that you can look up passwords in the $credentials array.
Whether this is sufficiently secure is a separate matter, but at least it means you have no passwords in the DB, and the file is outside the web root. You could try encrypting the file or the passwords, but then you'll run into the same problem when it comes to keeping the key for that.