1

I created a contact form and have a security question for this form.

I did some research for my question already, but I want to double-check before I make any mistakes...

Basically, I created my contact form in my code behind as follows.

In there, I would have to include my Email address and my password to get connected to the smtp server.

I am afraid it's easy to find out my credentials.

Does anybody have a recommendation for how to secure this code? (Or am I dead wrong with this solution anyways?)

Protected Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs)

End Sub
Protected Sub Button_Click(ByVal sender As Object, ByVal e As EventArgs)
    Try
        If Page.IsValid Then
            Dim mailMessage As New MailMessage()
            mailMessage.From = New MailAddress("MYEMAILADRESS")
            mailMessage.To.Add("MYEMAILADRESS")
            mailMessage.Subject = txtSubject.Text

            mailMessage.Body = "<b>Sender Name : </b>" & txtName.Text & "<br/>" & "<b>Sender Email : </b>" & txtEmail.Text & "<br/>" & "<b>Phone </b>" & txtPhone.Text & "<br/>" & "<b>Comments : </b>" & txtComments.Text

            mailMessage.IsBodyHtml = True


            Dim smtpClient As New SmtpClient("smtp.gmail.com", 587)
            smtpClient.EnableSsl = True
            smtpClient.Credentials = New System.Net.NetworkCredential("MYEMAILADRESS", "PASSWORD")
            smtpClient.Send(mailMessage)

            Label.Text = "Thank you for contacting us"

            txtName.Enabled = False
            txtEmail.Enabled = False
            txtComments.Enabled = False
            txtSubject.Enabled = False
            txtPhone.Enabled = False
            Button.Enabled = False
        End If
    Catch ex As Exception
        'Log - Event Viewer or table
        Label.Text = "There is an unknown problem, please try later"
    End Try
End Sub
Gray
  • 7,050
  • 2
  • 29
  • 52
Felix
  • 47
  • 4
  • This is sever side, this never gets to your users. Also, consider moving this to a configuration file rather than storing values in code. – Wiktor Zychla Sep 29 '15 at 11:54
  • @WiktorZychla While what you say is true about it being server-side, I could definitely see why someone would be uncomfortable storing important passwords in plaintext. – Gray Sep 29 '15 at 14:57
  • @Gray: sure, encrypting the config file would be my next recommendation, as soon as the OP comments out this somehow. I am not sure they are aware of their credentials being safe from users. – Wiktor Zychla Sep 29 '15 at 16:23
  • thanks a lot for your help! I will do that now! – Felix Sep 29 '15 at 20:15

1 Answers1

1

As was alluded to in the comments, you'll want to move a lot of these values to a config file, including your password. Ideally, you will store the credentials in an encrypted format so that if someone steals your config file, they can't access your email.

See this answer for directions on how to encrypt it: Encrypting Web.Config

Detailing how to encrypt/decrypt the file is a bit out of scope for this question, but I think it is the right path for you to go down.

Community
  • 1
  • 1
Gray
  • 7,050
  • 2
  • 29
  • 52